Google offers an application for Android called “Google Authenticator” which is used to setup two-factor authentication (2FA). This application is used to generate standard OTP codes usually used for 2FA.
It appears that Google Authenticator allows screenshots to be taken of OTP codes. The implication is that if a user’s device ends up running a rogue app, that app can capture all generated OTP codes as they are shown by the app, and thus break two factor authentication.
[EDITED: 2020-03-23: This is only true for rogue apps with screenshot permissions (MediaProjection) BUT not those using accessibility (a11y) permissions. This is especially true since many such rogue apps use Android accessibility to scrape screenshots from running apps. However, using FLAG_SECURE may prevent that behavior even via accessibility permissions, although more research is needed to confirm that.]
UPDATE (2020-03-03): Disclosed publicly because of recent media reports
UPDATE #2 (2020-03-04): Multiple people noted that Microsoft Authenticator has the same issue. We blogged about that back in 2018 and the issue remains unfixed.
UPDATE #3 (2020-03-23): Although FLAG_SECURE may protect against malicious apps using the MediaProjection APIs, HOWEVER, as per the comment below from Yanick Fratantonio and his blog post, FLAG_SECURE doesn’t protect against attacks using accessibility services. See our follow-up post here.
Steps to Replicate
To replicate, try the following:
- Open the application.
- Add an account.
- Press Power + Volume Down at any sensitive screen and observe a screenshot being taken.
The underlying reason is because the app is not using “FLAG_SECURE” for such screens (more information on FLAG_SECURE can be found in our earlier blog post). By contrast, many Android apps with higher security requirements use it.
Vendor Response
We filed a bug report with the vendor (Google) and the vendor filed an internal bug. The vendor never informed us whether the bug was fixed. Testing on the most recent version reveals that the bug is still present.
References
- GitHub issue filed by someone else – see here
- Google Play link to the app – see here
- Google Security Case # 8-2193000017345
- Our earlier blog post about FLAG_SECURE on Android – see here
ZDNet report regarding Cerberus malware attacking this app –see here
Timeline
- 2014-10-10: GitHub issue filed by someone else
- 2017-05-10: Issue filed with the vendor, triaged and bug filed
- 2017-05-11: Follow-up discussion regarding other vendor apps
- 2017-05-12: Response regarding bounty received
- 2020-02-27: Media story regarding malware targeting this app
- 2020-03-03: Public disclosure
- 2020-03-04: Added comment regarding Microsoft Authenticator
- 2020-03-23: Added clarification regarding screenshot permissions and accessibility permissions
Nightwatch Cybersecurity 
Microsoft authenticator has the same problem you can take screenshots…
Yep, we blogged about this before:
https://wwws.nightwatchcybersecurity.com/2018/09/05/microsoft-authenticator-for-android-allows-screen-capture/
Hi there. You wrote “using FLAG_SECURE prevents that behavior even via accessibility permissions.” but I’m not sure that’s true. To the best of my knowledge, FLAG_SECURE protects from screenshots, not from a11y. I’ve tried to clarify things in this twitter thread: https://twitter.com/reyammer/status/1237093553421115393
Our limited testing suggests otherwise, we suspect there may be a difference in implementations between different Android OS versions and vendors. We would have to dig deeper to find out more.
Interesting! Can you share some details about which Android OS / vendor you tried with? I gave a quick look at AOSP codebase, and FLAG_SECURE really seems unrelated to a11y. If other vendors do protect from it, it would be a very interesting finding. In the meantime, I wrote a quick blog post (https://reyammer.io/blog/2020/03/17/no-flag-secure-does-not-protect-you-from-a11y-malware-and-google-couldnt-have-protected-2fa-tokens-that-easily/) and published a proof of concept for testing (https://github.com/reyammer/a11y-flag-secure-poc). Feedback is welcome.
You are correct. We edited the blog post to reflect your findings, and to indicate clearly that FLAG_SECURE protects against screenshot permissions and not against accessibility service (a11y) attacks.
Follow-up post here:
https://wwws.nightwatchcybersecurity.com/2020/03/23/flag_secure-and-accessibility-services-a11y/
It doesn’t matter, as you can copy and paste anyway. Having the screen shot makes no difference.
It is not a bug or a security flaw.
They could disable copy and paste and screen shot, but then you couldn’t copy the 2fa and paste it into another app.
If an app has root access, it can screen shot even if the screen shot is disabled.
Disabling FLAG_SECURE doesn’t block copy/paste
In the case of Cerberus, root access it not present – instead the malware uses accessibility permissions
I can take screenshots of Authy in iOS
Symantec’s VIP Access app also allows screenshots
[…] then we have reported the lack of FLAG_SECURE as an issue to multiple Android app vendors. Our most recent blog post was about the fact that Google’s 2FA application (“Google Authenticator”) lacked […]