Once again, Cerberus malware has emerged as a threat to users after appearing on the Google Play Store. The malware posed as a cryptocurrency converter app to trick users, thus reaching thousands of downloads.
Cerberus Posing As Cryptocurrency App
Researchers from Avast found Cerberus malware appearing on Google Play Store. The malware hid behind a cryptocurrency converter app.
As explained in their post, the app seemingly aims at Spanish users. It bears the name “Calculadora de Moneda” which translates as “Currency Calculator” in English.
Considering the niche chosen, it seems that malware basically attempted to steal users’ banking data, which the users would need to enter while converting their cryptocurrency to fiat money.
Briefly, the researchers observed that the app remained harmless for a few initial weeks, seemingly to gather users (or victims). This also allowed the app to escape security check by Google Play Protect.
However, the app did bear malicious malware dropper code which remained inactive initially but later became active. The researchers could observe the app communicating with the C&C server to download an additional malicious APK – the banker.
Regarding how it would work, the researchers stated,
In this final stage, the banker app can sit over an existing banking app and wait for the user to log into their bank account. At which point the malicious Trojan activates, creating a layover over your login screen, and steals all your access data.
Moreover, the malware would also read messages seemingly to access two-factor authentication details. Hence, malware could easily evade all security procedures.
Malware Disappeared. But Threat Persists…
Though, the active Cerberus malware functionality appeared for a very short time. Soon after its discovery, the malicious C&C disappeared and the app became harmless once again.
Nonetheless, the researchers have explained that threat actors may use such sneaky tactics to stay under the radar for a while.
Although this was just a short period, it’s a tactic fraudsters frequently use to hide from protection and detection i.e. limiting the time window where the malicious activity can be discovered.
Therefore, the users must remain very careful while downloading any app, especially the ones dealing with sensitive information, such as bank details.
As for this app, it is wise to stop using this app right away. Nobody knows when the perpetrators would trigger another phase of active banking Trojan.