Skip to main content

Google Authenticator screenshot bug could be a potential security risk

Google Authenticator
Google Authenticator (Image credit: Android Central)

What you need to know

  • A bug in the Google Authenticator app reportedly allows screenshots of OTPs to be easily captured.
  • Security researchers had recently suggested that the "Cerberus" Android malware can steal one-time codes generated by Google Authenticator.
  • Google has been notified of the vulnerability, although it is yet to be fixed.

Security researchers at Dutch mobile security firm ThreatFabric had claimed in a report last month that the latest version of Android banking trojan Cerberus is capable of stealing one-time passcodes (OTP) generated by the Google Authenticator and other similar apps. The folks at Nightwatch Cybersecurity have now uncovered another vulnerability that could be used by malicious apps to steal one-time passcodes from Google Authenticator.

The report published by Nightwatch Cybersecurity reveals that rogue apps on Android devices might be able to steal all generated OTP codes from the Google Authenticator app (opens in new tab), as it allows screenshots of one-time passcodes to be captured. It notes that several rogue apps make use of Android accessibility to pull screenshots from running apps. This could be prevented by using "FLAG_SECURE," but the Google Authenticator sadly does not use the FLAG_SECURE setting.

Android apps and certain platform services can capture screens from other running apps with the help of the MediaProjection API. With the FLAG_SECURE flag, the content of an app window is treated as secure, preventing it from appearing in screenshots.

While a bug report detailing the vulnerability has been submitted to Google, it hasn't been fixed yet. The bug is still present in the latest version of the Authenticator app.

Babu Mohan
News Writer
1 Comment
  • Authy tweeted about the Cerberus malware and stated that the app doesn't allow screen grabbing of sensitive data. Presumably this means they're using FLAG_SECURE.
    https://twitter.com/Authy/status/1233461985829883904?s=19