Two-Step authentication feature become insecure system when your android device got infected with a new malware which is capable of intercepting your messages and forwarding them to cybercriminals.
The Trojan, discovered by the Russian antivirus company Dr.Web , spreads as a security certificate that tricks users into thinking it must be installed onto their device.
Once installed, the malware does nothing other than displaying a message stating "Certificate installed successfully and your device is protected now."
But in background, the malware collects your phone information including Device's serial number, IMEI, model, carrier , phone number, OS. Once the data has been gleaned, it attempts to send the info to the remote server.
After successfully sending the info, the malware awaits instructions from its master. The cybercriminal behind the malware can now send instructions and control the malware to do the following : intercept and forward sms from specified numbers, send ussd message, show message and more.
This malware makes the Two-step authentication feature insecure because it can read the message sent to your mobile. It means the trojan can get the temporary password sent from Bank or any other sites using the 2-step authentication feature.