Android malware steals your Google Authenticator codes


SonicWall Capture Labs Threat Research team came across a malware campaign that steals device information, card information, and google authenticator code on Android devices. This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their device. This malicious app may use the following icons:

Fig 1: Malware using famous app icons


We also noticed that most of these malicious apps are fairly new and have recently been submitted over malware sharing platforms like Virus Total.

Fig 2: Latest sample found on VT


Infection cycle

The critical permissions used in these apps are mentioned below:


After installation, it asks the victim to enable the accessibility service. Once this option is enabled it becomes difficult to uninstall the application from the device.

Fig 3: Installed malicious app


Fig 4: Accessibility permission


The malicious application connects to the Command-and-Control server and receives commands to execute operations accordingly, as shown in the image below:

Fig 5: C&C server


In web data, it creates a database where it stores the victim’s personal information and card details.

Fig 6: Database created for storing information


Google Authenticator generates two-factor authentication (2FA), which provides stronger security for Accounts & requires a second step of verification when a user signs in. This malware manages to evade additional layers of security by getting 2FA codes with the help of Accessibility services.

Fig 7: Stealing Google authenticator code


This malware also sends details of current location of the victim to its remote C&C server.

Fig 8: Latest location info

This malware is also capable of taking screenshots of the victim’s device and sending them to the C&C server.

Fig 9: Malware capture screenshots


It stores C&C server’s details like Host address ( and port number (33660) in base64 encoded form.

Fig 10: Network connection


SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.


Indicators of Compromise (IOC):










Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.