Cerberus Malware Emerges As A Novel Android Banking Trojan

A new banking trojan has made it to the news owing to its unique code and evasion techniques. Dubbed as Cerberus, the malware specifically targets Android devices. Presently, many attackers are renting it as malware-as-a-service on underground forums.

Cerberus Malware Targeting Android Devices

Researchers from ThreatFabric have found a new malware threatening Android devices. The malware serves as a banking Trojan and is capable of evading security measures. The threat actors are presently renting it out on dark forums following successful private use of it for two years, as claimed.

Termed as ‘Cerberus’ (adopted from Greek mythology), the malware holds significance as it presents an entirely new threat for victims. The researchers also confirm that it does not resemble any other source code previously seen.

Brief Analysis

Upon reaching the target device, the malware hides and asks the user an accessibility service privilege. Once granted, the malware then automatically gains access to other features without user interaction. It then disables Google’s Play Protect to avoid detection in the future and registers the victim device. As elaborated by the researchers,

After conveniently granting itself additional privileges and securing its persistence on the device, Cerberus registers the infected device in the botnet and waits for commands from the C2 server while also being ready to perform overlay attacks.

Like usual Trojans, Cerberus also bears robust hacking features, making it a viable replacement for previous banking Trojans. However, it does not bring any new functionality despite boasting an entirely new source code.

Cerberus malware has the same capabilities as most other Android banking Trojans such as the use of overlay attacks, SMS control and contact list harvesting. The Trojan can also leverage keylogging to broaden the attack scope.

However, it looks unique owing to its peculiar target list of 30 apps. The list includes 15 banking apps; 7 French, 1 Japanese, and 7 US apps, and 15 non-banking apps including Gmail, Twitter, Snapchat, WhatsApp, Telegram, Instagram, Viber, Yahoo Mail, Microsoft Outlook, and Uber.

Moreover, the malware also employs a strange evasion technique by using the device’s accelerometer.

if the infected device belongs to a real person, sooner or later this person will move around, increasing the step counter. The Trojan uses this counter to activate the bot – if aforementioned step counter hits the pre-configured threshold it considers running on the device to be safe.

This prevents the malware from infecting test devices of researchers and sandboxes.

The researchers have presented a detailed malware analysis along with the list of target apps in their blog post.

Bold SM Presence Of Cerberus Authors

Cerberus malware authors seem somewhat bold since they maintain a notable social media presence via a dedicated Twitter account. They were even bold enough to attract the attention of Lukas Stefanko, another security researcher.

Here is a glimpse of one such conversation.

According to the researchers, Cerberus is all set to fill up the space created after the departure of Anubis malware.

Although not yet mature enough to provide the equivalent of a full-blown set of Android banking malware features (such as RAT, RAT with ATS (Automated Transaction Script), back-connect proxy, media streaming), or providing an exhaustive target list, Cerberus should not be taken lightly.
Due to the current absence of maintained and supported Android banking Malware-as-a-Service in the underground community, there is a certainly demand for a new service. Cerberus is already capable to fulfill this demand.

Perhaps, we can witness a rise in its potential with an increase in the target list in the days to come. Not to forget mentioning that the malware is already active in the wild.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients