Google offers an application for Android called “Google Authenticator” which is used to setup two-factor authentication (2FA). This application is used to generate standard OTP codes usually used for 2FA.

It appears that Google Authenticator allows screenshots to be taken of OTP codes. The implication is that if a user’s device ends up running a rogue app, that app can capture all generated OTP codes as they are shown by the app, and thus break two factor authentication.

[EDITED: 2020-03-23: This is only true for rogue apps with screenshot permissions (MediaProjection) BUT not those using accessibility (a11y) permissions. This is especially true since many such rogue apps use Android accessibility to scrape screenshots from running apps. However, using FLAG_SECURE may prevent that behavior even via accessibility permissions, although more research is needed to confirm that. ]

UPDATE (2020-03-03): Disclosed publicly because of recent media reports

UPDATE #2 (2020-03-04): Multiple people noted that Microsoft Authenticator has the same issue. We blogged about that back in 2018 and the issue remains unfixed.

UPDATE #3 (2020-03-23): Although FLAG_SECURE may protect against malicious apps using the MediaProjection APIs, HOWEVER, as per the comment below from Yanick Fratantonio and his blog post, FLAG_SECURE doesn’t protect against attacks using accessibility services. See our follow-up post here.



Steps to Replicate

To replicate, try the following:

Open the application. Add an account. Press Power + Volume Down at any sensitive screen and observe a screenshot being taken.

The underlying reason is because the app is not using “FLAG_SECURE” for such screens (more information on FLAG_SECURE can be found in our earlier blog post). By contrast, many Android apps with higher security requirements use it.

Vendor Response

We filed a bug report with the vendor (Google) and the vendor filed an internal bug. The vendor never informed us whether the bug was fixed. Testing on the most recent version reveals that the bug is still present.

References

GitHub issue filed by someone else – see here

Google Play link to the app – see here

Google Security Case # 8-2193000017345

Our earlier blog post about FLAG_SECURE on Android – see here

ZDNet report regarding Cerberus malware attacking this app – see here

Timeline

2014-10-10: GitHub issue filed by someone else

2017-05-10: Issue filed with the vendor, triaged and bug filed

2017-05-11: Follow-up discussion regarding other vendor apps

2017-05-12: Response regarding bounty received

2020-02-27: Media story regarding malware targeting this app

2020-03-03: Public disclosure

2020-03-04: Added comment regarding Microsoft Authenticator

2020-03-23: Added clarification regarding screenshot permissions and accessibility permissions