Google offers an application for Android called “Google Authenticator” which is used to setup two-factor authentication (2FA). This application is used to generate standard OTP codes usually used for 2FA.
It appears that Google Authenticator allows screenshots to be taken of OTP codes. The implication is that if a user’s device ends up running a rogue app, that app can capture all generated OTP codes as they are shown by the app, and thus break two factor authentication.
[EDITED: 2020-03-23: This is only true for rogue apps with screenshot permissions (MediaProjection) BUT not those using accessibility (a11y) permissions.
This is especially true since many such rogue apps use Android accessibility to scrape screenshots from running apps. However, using FLAG_SECURE may prevent that behavior even via accessibility permissions, although more research is needed to confirm that. ]
UPDATE (2020-03-03): Disclosed publicly because of recent media reports
UPDATE #2 (2020-03-04): Multiple people noted that Microsoft Authenticator has the same issue. We blogged about that back in 2018 and the issue remains unfixed.
UPDATE #3 (2020-03-23): Although FLAG_SECURE may protect against malicious apps using the MediaProjection APIs, HOWEVER, as per the comment below from Yanick Fratantonio and his blog post, FLAG_SECURE doesn’t protect against attacks using accessibility services. See our follow-up post here.
Steps to Replicate
To replicate, try the following:
- Open the application.
- Add an account.
- Press Power + Volume Down at any sensitive screen and observe a screenshot being taken.
The underlying reason is because the app is not using “FLAG_SECURE” for such screens (more information on FLAG_SECURE can be found in our earlier blog post). By contrast, many Android apps with higher security requirements use it.
We filed a bug report with the vendor (Google) and the vendor filed an internal bug. The vendor never informed us whether the bug was fixed. Testing on the most recent version reveals that the bug is still present.
- GitHub issue filed by someone else – see here
- Google Play link to the app – see here
- Google Security Case # 8-2193000017345
- Our earlier blog post about FLAG_SECURE on Android – see here
ZDNet report regarding Cerberus malware attacking this app – see here
- 2014-10-10: GitHub issue filed by someone else
- 2017-05-10: Issue filed with the vendor, triaged and bug filed
- 2017-05-11: Follow-up discussion regarding other vendor apps
- 2017-05-12: Response regarding bounty received
- 2020-02-27: Media story regarding malware targeting this app
- 2020-03-03: Public disclosure
- 2020-03-04: Added comment regarding Microsoft Authenticator
- 2020-03-23: Added clarification regarding screenshot permissions and accessibility permissions