The use of two-factor authentication is pushed by security firm as one of the better methods for users to monitor their login details, but researchers have uncovered a vulnerability. A new version of the malware Cerberus could pick up and use the codes generated by Google Authenticator.

Google Authenticator is one of the more popular 2FA apps in the Google Play Store and can be used for a range of different services. The app generates a six-digit code that can only be used for a short period of time before the active code (required for a login to a linked service) is refreshed.

The Dutch security company ThreatFabric announced this week that it has found possibilities in new versions of the banking trojan Cerberus to capture generated codes from Google Authenticator. These are versions of Cerberus that are not currently offered on hacker forums, but are expected to be available on the market in the near future.

By abusing granted privileges, the trojan could extract the codes directly from the interface and forward them to a server. An attentive malicious party could then wait for a new one to be generated and use it for the linked account on a linked service.

The fact that Cerberus could bypass the 2FA for other services seems to be just an additional feature: initially, it should have been the hackers’ job to be able to log into the bank accounts of users whose phones have been hacked. Bypassing linked bank accounts is the main purpose, but any additional linked accounts are waiting to be picked up.