Cerberus, a new banking Trojan available as malware-as-a-service in the underground

Security experts analyzed a new interesting Android banking Trojan, dubbed Cerberus, that is offered for rent by its author.

A new malware-as-a-service dubbed Cerberus has emerged in the threat landscape, it is an Android RAT developed from scratch that doesn’t borrow the code from other malware.

According to researchers at Threat Fabric who analyzed the threat, Cerberus implements features similar to other Android RAT, it allows operators to full control over infected devices.

The malware implements banking Trojan capabilities such as the use of overlay attacks, the ability to intercept SMS messages and access to the contact list.

Below the list of features advertised by the author of the banking malware:

• taking screenshots
• recording audio
• recording keylogs
• sending, receiving, and deleting SMSes,
• stealing contact lists
• forwarding calls
• collecting device information
• Tracking device location
• stealing account credentials,
• disabling Play Protect
• downloading additional apps and payloads
• removing apps from the infected device
• pushing notifications
• locking device’s screen

The author of this malware is very active on Twitter and mocks security firms claiming to have avoided the detection for at least two years.

“In June 2019, ThreatFabric analysts found a new Android malware, dubbed “Cerberus”, being rented out on underground forums. Its authors claim that it was used for private operations for two years preceding the start of the rental.” reads the analysis published by Threat Fabric.”They also state that the code is written from scratch and is not using parts of other existing banking Trojans unlike many other Trojans that are either based completely on the source of another Trojan (such as the leaked Anubis source code that is now being resold) or at least borrow parts of other Trojans.”

The author is offering the malware for rent at a price of $2000 for 1-month use, $7000 for 6 months and up to $12,000 for an entire year.

Once Cerberus has infected an Android device, it will hide its icon from the application drawer, then it asks for the accessibility permission by posing itself as Flash Player Service. 
Once the victim gives the malware the requested authorizations, Cerberus will register the compromised device to the C2 server and make it part of the botnet available for rent.

The malicious code users overlay attacks to steal sensitive and financial data from the victim, including credit card numbers, banking credentials and passwords for bank accounts.

In overlay attacks, attackers create a UI overlay to be displayed on top of legitimate Android applications and trick victims into providing sensitive information or clicking confirmation buttons.

“Most Android banking Trojans use overlay attacks to trick the victim into providing their personal information (such as but not limited to: credit card information, banking credentials, mail credentials) and Cerberus is no exception.” continues the report. “The bot abuses the accessibility service privilege to obtain the package name of the foreground application and determine whether or not to show a phishing overlay window,” the researchers said.

Cerberus includes templates to target a total of 30 apps:

• 7 French banking apps
• 7 U.S. banking apps
• 1 Japanese banking app
• 15 non-banking apps

Cerberus also implements some interesting techniques to evade detection, one of them is the use of the accelerometer sensor to detect if the victim is using the device and determine if it is not running in a virtualized environment.”The Trojan uses this counter to activate the bot—if aforementioned step counter hits the pre-configured threshold it considers running on the device to be safe,” the researchers explain.

“This simple measure prevents the Trojan from running and being analyzed in dynamic analysis environments (sandboxes) and on the test devices of malware analysts.” continues the report.

Other malware, such as the Anubis banking Trojan, implemented this technique to avoid detection.

Cerberus malware leverages social engineering to trick victims into installing it on victims’ devices.

“Although not yet mature enough to provide the equivalent of a full-blown set of Android banking malware features (such as RAT, RAT with ATS (Automated Transaction Script), back-connect proxy, media streaming), or providing an exhaustive target list, Cerberus should not be taken lightly.” concludes the report.

“Due to the current absence of maintained and supported Android banking Malware-as-a-Service in the underground community, there is a certainly demand for a new service. Cerberus is already capable to fulfill this demand.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Cerberus, Android malware)

[adrotate banner=”5″]

[adrotate banner=”13″]