Affiliate links on Android Authority may earn us a commission.Learn more.
Report: New Android malware can steal 2FA codes from Google Authenticator
June 17, 2025
Two-factor authentication(2FA) is one of the best ways to protect your accounts and services, andGoogle Authenticatoris arguably the most popular app in this regard.
Unfortunately, a new form of Android malware is capable of stealing 2FA codes from Google’s app, according to a report by security firmThreatfabric(viaZDNet). According to the report, a variant of the Cerberus banking trojan emerged with this ability in January 2020.
“Abusing the Accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application. When the app is running, the Trojan can get the content of the interface and can send it to the C2 [command and control – ed] server. Once again, we can deduce that this functionality will be used to bypass authentication services that rely on OTP codes,” reads an excerpt of the report.
Threatfabric notes that the new malware feature isn’t being advertised on underground forums just yet, suggesting that this capability is still in testing. The firm says it still presents a major threat to online banking services though. But this could also be a massive threat to other accounts and services that use 2FA, such as email, Google accounts, and more.
Two-factor authentication apps like Google Authenticator are generally considered to be more secure than SMS-based 2FA. Two factor codes via text message can be intercepted, and there have indeed been numerous cases ofSIM swap fraudthat allows criminal actors to gain these codes.
Nevertheless, we hope to see Google shore up Android’s defenses against this malware, as it likely affects other 2FA apps as well. But hopefully it doesn’t mean similarly drastic measures like it took withSMS and calling permissions.
Thank you for being part of our community. Read ourComment Policybefore posting.
