Criminals have not so long ago created and released a banking Trojan dubbed Cerberus into the wild, and it targets Android users.
The new malware strain is being offered for rent on the underground hacking forums – malicious actors operate a so-called malware-as-a-service scheme.
Packed with numerous capabilities, the trojan has taken places from past cyber threats such as Exobot and Anubis which were also spread as malware as a service but have quit their activities since then.
Cerberus Trojan authors claim that Cerberus is far beyond the renown Anubis, source code of which was recently leaked online.
The malware can take full control of the mobile phone by using remote technologies and also perform other banking malware-related tasks.
These functions include controlling SMS texts, spying on contact information, stalking private user data, etc.
Besides, the virus pretends to be a fake Flash Player or another software update to make its way to the destination point.
“Cerberus,” the new remote access Trojan allows remote attackers to take total control over the infected Android devices and also comes with banking Trojan capabilities like the use of overlay attacks, SMS control, and contact list harvesting.
According to the author of this malware, who is surprisingly social on Twitter and mocks security researchers and antivirus industry openly, Cerberus has been coded from scratch and doesn’t re-use any code from other existing banking Trojans.
The author also claimed to be using the Trojan for private operations for at least two years before renting it out for anyone interested from the past two months at $2000 for 1 month usage, $7000 for 6 months and up to $12,000 for 12 months.
Cerberus Banking Trojan: Features
According to security researchers at ThreatFabric who analyzed a sample of Cerberus Trojan, the malware has a pretty common list of features, like:
- taking screenshots
- recording audio
- recording keylogs
- sending, receiving, and deleting SMSes,
- stealing contact lists
- forwarding calls
- collecting device information
- Tracking device location
- stealing account credentials,
- disabling Play Protect
- downloading additional apps and payloads
- removing apps from the infected device
- pushing notifications
- locking device’s screen
Once infected, Cerberus first hides its icon from the application drawer and then asks for the accessibility permission by masquerading itself as Flash Player Service. If granted, the malware automatically registers the compromised device to its command-and-control server, allowing the buyer/attacker to control the device remotely.
To steal users’ credit card numbers, banking credentials and passwords for other online accounts, Cerberus lets attackers launch screen overlay attacks from its remote dashboard.
In screen overlay attack, the Trojan displays an overlay on top of legitimate mobile banking apps and tricks Android users into entering their banking credentials into the fake login screen, just like a phishing attack.
“The bot abuses the accessibility service privilege to obtain the package name of the foreground application and determine whether or not to show a phishing overlay window,” the researchers said.
According to researchers, Cerberus already contains overlay attack templates for a total of 30 unique targets, including:
- 7 French banking apps
- 7 U.S. banking apps
- 1 Japanese banking app
- 15 non-banking apps
Cerberus Uses Motion-based Evasion Tactic
Cerberus also uses some interesting techniques to evade detection from antivirus solutions and prevent its analysis, like using the device accelerometer sensor to measure movements of the victim.
The idea is straightforward – as a user moves, their Android device usually generates some amount of motion sensor data.
The malware monitors the user’s steps through the device motion sensor to check if it is running on a real Android device.
“The Trojan uses this counter to activate the bot – if aforementioned step counter hits the pre-configured threshold it considers running on the device to be safe,” the researchers explain.
“This simple measure prevents the Trojan from running and being analyzed in dynamic analysis environments (sandboxes) and on the test devices of malware analysts.”
If the user’s device lacks sensor data, the malware assumes that the sandbox for scanning malware is an emulator with no motion sensors and will not run the malicious code.
However, this technique is also not unique and has previously been implemented by the popular Android banking Trojan ‘Anubis’.
It should be noted that Cerberus malware does not exploit any vulnerability to get automatically installed on a targeted device in the first place. Instead, the malware installation relies on social engineering tactics.
Therefore, to protect yourself from becoming victims to such malware threats, you are recommended to be careful what you download on your phone and definitely think thrice before side-loading stuff as well.
When you move, Cerberus moves
Payload and string obfuscation are normal techniques for making analysis and detection more difficult, but Cerberus also uses a mechanism that determines if the infected system is moving or not.
The trojan achieves this by reading data from the accelerometer sensor present on Android devices to measure the acceleration force on all three physical axes, X, Y, and Z, also considering the force of gravity.
By implementing a simple pedometer, Cerberus can track if the victim is moving using the code below. A real person will move around, generating motion data and increasing the step counter.
...
this.sensorService.registerListener(this, this.accelerometer, 3);
Sensor localSensor = sensorEvent.sensor;
this.sensorService.registerListener(this, localSensor, 3);
if(localSensor.getType() == 1) {
float[] values = sensorEvent.values;
float Gx = values[0];
float Gy = values[1];
float Gz = values[2];
long timestamp = System.curTimeMillis();
if(timestamp - this.previousTimestamp > 100L) {
long interval = timestamp - this.previousTimestamp;
this.previousTimestamp = timestamp;
if(Math.abs(Gx + Gy + Gz - this.curGx - this.curGy - this.curGz)
/ (((float)interval)) * 10000f > 600f) {
this.increaseStepCount();
}
this.curGx = Gx;
this.curGy = Gy;
this.curGz = Gz;
}
}
...
if(Integer.parseInt(
this.utils.readConfigString(arg7, this.constants.step)) The malware becomes active and starts communicating with the command and control server when a specific number of steps is reached.
This safety check is implemented specifically to avoid running on test devices or in sandbox environments used for malware analysis.
After the user grants the requested privilege, Cerberus starts to abuse it by granting itself additional permissions, such as permissions needed to send messages and make calls, without requiring any user interaction.
It also disables Play Protect (Google’s preinstalled antivirus solution) to prevent its discovery and deletion in the future.
After conveniently granting itself additional privileges and securing its persistence on the device, Cerberus registers the infected device in the botnet and waits for commands from the C2 server while also being ready to perform overlay attacks.
The commands supported by the analyzed version of the Cerberus bot are listed below. As can be seen, the possibilities offered by the bot are pretty common.
| Command | Description |
| push | Shows a push notification. Clicking on the notification will result in launching a specified app |
| startApp | Starts the specified application |
| getInstallApps | Gets the list of installed applications on the infected device |
| getContacts | Gets the contact names and phone numbers from the address book on the infected device |
| deleteApplication | Triggers the deletion of the specified application |
| forwardCall | Enables call forwarding to the specified number |
| sendSms | Sends a text message with specified text from the infected device to the specified phone number |
| startInject | Triggers the overlay attack against the specified application |
| startUssd | Calls the specified USSD code |
| openUrl | Opens the specified URL in the WebView |
| getSMS | Gets all text messages from the infected device |
| killMe | Triggers the kill switch for the bot |
| updateModule | Updates the payload module |
Cerberus features
Cerberus malware has the same capabilities as most other Android banking Trojans such as the use of overlay attacks, SMS control and contact list harvesting.
The Trojan can also leverage keylogging to broaden the attack scope. Overall, Cerberus has a pretty common feature list and although the malware seems to have been written from scratch there does not seem to be any innovative functionality at this time
For example, some of the more advanced banking Trojans now offer features such as a back-connect proxy, screen-streaming and even remote control.
Cerberus embeds the following set of features that allows itself to remain under the radar and successfully perform attacks:
- Overlaying: Dynamic (Local injects obtained from C2)
- Keylogging
- SMS harvesting: SMS listing
- SMS harvesting: SMS forwarding
- Device info collection
- Contact list collection
- Application listing
- Location collection
- Overlaying: Targets list update
- MS: Sending
- Calls: USSD request making
- Calls: Call forwarding
- Remote actions: App installing
- Remote actions: App starting
- Remote actions: App removal
- Remote actions: Showing arbitrary web pages
- Remote actions: Screen-locking
- Notifications: Push notifications
- C2 Resilience: Auxiliary C2 list
- Self-protection: Hiding the App icon
- Self-protection: Preventing removal
- Self-protection: Emulation-detection
- Architecture: Modular
Overlay attack
Most Android banking Trojans use overlay attacks to trick the victim into providing their personal information (such as but not limited to: credit card information, banking credentials, mail credentials) and Cerberus is no exception.
In this particular case, the bot abuses the accessibility service privilege to obtain the package name of the foreground application and determine whether or not to show a phishing overlay window, as shown in the following code snippet:
this.foregroundAppPackage = accesibilityEvent.getPackageName().toString();
...
String target = this.strings.empty;
if(this.strings.CC_apps.contains(this.foregroundAppPackage)) {
target = this.strings.grabbCC;
}
else if(this.strings.MAIL_apps.contains(this.foregroundAppPackage)) {
target = this.strings.grabMails;
}
try {
Utils utils = this.utils;
String v1_10 = target.isEmpty() ? this.foregroundAppPackage : target;
if(utils.readConfigString(this, v1_10).length() > 10) {
JSONObject config = new JSONObject();
config.put(this.strings.params, this.strings.startViewInject);
config.put(this.strings.packageAppStart, this.foregroundAppPackage);
config.put(this.strings.nameInject, target);
config.put(this.strings.packageProject, this.getPackageName());
config.put(this.strings.packageView, InjectActivity.class.getCanonicalName(););
Utils utils1 = this.utils;
utils1.callModule(this, config.toString());
}
}
catch(Exception e) {
...
}
Standard banking trojan features
From the six samples found in the wild, Cerberus poses as a Flash Player application. When it executes on a system, the malware hides its icon and demands increased privileges through the Accessibility Service.
Then it starts granting itself additional permissions that allow it to send messages and make calls without user interaction. According to the researchers, the malware also disabled Google Play Protect to prevent discovery and disinfection.
.png)
The set of features available in this trojan are standard and does not show any signs of innovative or special functions like a back-connect proxy, remote control, or screen streaming, which are present in more advanced Android bankers.
Using the functions below, Cerberus manages to keep a low profile for its operations:
Overlaying: Dynamic (Local injects obtained from C2)
Keylogging
SMS harvesting: SMS listing
SMS harvesting: SMS forwarding
Device info collection
Contact list collection
Application listing
Location collection
Overlaying: Targets list update
SMS: Sending
Calls: USSD request making
Calls: Call forwarding
Remote actions: App installing
Remote actions: App starting
Remote actions: App removal
Remote actions: Showing arbitrary web pages
Remote actions: Screen-locking
Notifications: Push notifications
C2 Resilience: Auxiliary C2 list
Self-protection: Hiding the App icon
Self-protection: Preventing removal
Self-protection: Emulation-detection
Architecture: ModularMixed set of targets
ThreatFabric found several samples of phishing overlays used by Cerberus to steal credentials for popular email and messaging services, and credit card data.
For the moment, the researchers found in the while only one target list with 30 unique entries. Among the targets are banking apps from France (7), the U.S. (7), Japan (1). Another 15 of them are non-banking apps.
“This uncommon target list might either be the result of specific customer demand, or due to some actors having partially reused an existing target list.” – ThreatFabric
With the help of overlays, the malware tricks the victim into giving sensitive information that ranges from credentials for online services (Outlook, Yahoo, Twitter, WhatsApp, Telegram, Viber, Snapchat, WeChat, Uber) to payment card and banking info.
Determining when the phishing overlay should be used and which one to load is possible through its increased privileges, which allow it to obtain the package name for the foreground app.
.jpg)
Advertising the service
The operators of the malware advertise their service in the open, without fearing consequences from exposing indicators of compromise and other details.
A Twitter account is used to promote the tool to potential buyers and shows image captures with low or zero detection rates from multiple scanning services. A thread directed at security researchers offers a few details about the malicious APK used with Cerberus and boasts that it is an original creation that spent several years in development.
For hashes of the payload samples detected in the wild and the full list of targets, check ThreatFabric’s report.
Appendix
Samples
Some of the latest Cerberus samples found in the wild:
| App name | Package name | SHA 256 hash |
| Flash Player | com.uxlgtsvfdc.zipvwntdy | 728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f |
| Flash Player | com.ognbsfhszj.hqpquokjdp | fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329 |
| Flash Player | com.mwmnfwt.arhkrgajn | ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c |
| Flash Player | com.wogdjywtwq.oiofvpzpxyo | 6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4 |
| Flash Player | com.hvdnaiujzwo.fovzeukzywfr | cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b |
| Flash Player | com.gzhlubw.pmevdiexmn | 3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63 |
Target list
The actual observed list of mobile apps targeted by Cerberus contains a total of 30 unique applications. This list is expected to expand:
| Package name | Application name |
| com.android.vending | Play Market |
| com.boursorama.android.clients | Boursorama Banque |
| com.caisseepargne.android.mobilebanking | Banque |
| com.chase.sig.android | Chase Mobile |
| com.clairmail.fth | Fifth Third Mobile Banking |
| com.connectivityapps.hotmail | Connect for Hotmail |
| com.google.android.gm | Gmail |
| com.imo.android.imoim | imo free video calls and chat |
| com.infonow.bofa | Bank of America Mobile Banking |
| com.IngDirectAndroid | ING |
| com.instagram.android | |
| com.konylabs.capitalone | Capital One® Mobile |
| com.mail.mobile.android.mail | mail.com mail |
| com.microsoft.office.outlook | Microsoft Outlook |
| com.snapchat.android | Snapchat |
| com.tencent.mm | |
| com.twitter.android | |
| com.ubercab | Uber |
| com.usaa.mobile.android.usaa | USAA Mobile |
| com.usbank.mobilebanking | U.S. Bank – Inspired by customers |
| com.viber.voip | Viber |
| com.wf.wellsfargomobile | Wells Fargo Mobile |
| com.whatsapp | |
| com.yahoo.mobile.client.android.mail | Yahoo Mail – Organized Email |
| fr.banquepopulaire.cyberplus | Banque Populaire |
| fr.creditagricole.androidapp | Ma Banque |
| jp.co.rakuten_bank.rakutenbank | 楽天銀行 -個人のお客様向けアプリ |
| mobi.societegenerale.mobile.lappli | L’Appli Société Générale |
| net.bnpparibas.mescomptes | Mes Comptes BNP Paribas |
| org.telegram.messenger | Telegram |
