Cerberus : new Android banking Trojan

0
3331

Criminals have not so long ago created and released a banking Trojan dubbed Cerberus into the wild, and it targets Android users.

The new malware strain is being offered for rent on the underground hacking forums – malicious actors operate a so-called malware-as-a-service scheme.

Packed with numerous capabilities, the trojan has taken places from past cyber threats such as Exobot and Anubis which were also spread as malware as a service but have quit their activities since then.

Cerberus Trojan authors claim that Cerberus is far beyond the renown Anubis, source code of which was recently leaked online.

The malware can take full control of the mobile phone by using remote technologies and also perform other banking malware-related tasks.

These functions include controlling SMS texts, spying on contact information, stalking private user data, etc.

Besides, the virus pretends to be a fake Flash Player or another software update to make its way to the destination point.

Cerberus,” the new remote access Trojan allows remote attackers to take total control over the infected Android devices and also comes with banking Trojan capabilities like the use of overlay attacks, SMS control, and contact list harvesting.

According to the author of this malware, who is surprisingly social on Twitter and mocks security researchers and antivirus industry openly, Cerberus has been coded from scratch and doesn’t re-use any code from other existing banking Trojans.

The author also claimed to be using the Trojan for private operations for at least two years before renting it out for anyone interested from the past two months at $2000 for 1 month usage, $7000 for 6 months and up to $12,000 for 12 months.

Cerberus Banking Trojan: Features

According to security researchers at ThreatFabric who analyzed a sample of Cerberus Trojan, the malware has a pretty common list of features, like:

  • taking screenshots
  • recording audio
  • recording keylogs
  • sending, receiving, and deleting SMSes, 
  • stealing contact lists
  • forwarding calls
  • collecting device information
  • Tracking device location
  • stealing account credentials, 
  • disabling Play Protect
  • downloading additional apps and payloads
  • removing apps from the infected device
  • pushing notifications
  • locking device’s screen

Once infected, Cerberus first hides its icon from the application drawer and then asks for the accessibility permission by masquerading itself as Flash Player Service. If granted, the malware automatically registers the compromised device to its command-and-control server, allowing the buyer/attacker to control the device remotely.

To steal users’ credit card numbers, banking credentials and passwords for other online accounts, Cerberus lets attackers launch screen overlay attacks from its remote dashboard.

In screen overlay attack, the Trojan displays an overlay on top of legitimate mobile banking apps and tricks Android users into entering their banking credentials into the fake login screen, just like a phishing attack.

“The bot abuses the accessibility service privilege to obtain the package name of the foreground application and determine whether or not to show a phishing overlay window,” the researchers said.

android banking malware

According to researchers, Cerberus already contains overlay attack templates for a total of 30 unique targets, including:

  • 7 French banking apps
  • 7 U.S. banking apps
  • 1 Japanese banking app
  • 15 non-banking apps

Cerberus Uses Motion-based Evasion Tactic

Cerberus also uses some interesting techniques to evade detection from antivirus solutions and prevent its analysis, like using the device accelerometer sensor to measure movements of the victim.


The idea is straightforward – as a user moves, their Android device usually generates some amount of motion sensor data.

The malware monitors the user’s steps through the device motion sensor to check if it is running on a real Android device.

“The Trojan uses this counter to activate the bot – if aforementioned step counter hits the pre-configured threshold it considers running on the device to be safe,” the researchers explain.

“This simple measure prevents the Trojan from running and being analyzed in dynamic analysis environments (sandboxes) and on the test devices of malware analysts.”

If the user’s device lacks sensor data, the malware assumes that the sandbox for scanning malware is an emulator with no motion sensors and will not run the malicious code.

However, this technique is also not unique and has previously been implemented by the popular Android banking Trojan ‘Anubis’.

It should be noted that Cerberus malware does not exploit any vulnerability to get automatically installed on a targeted device in the first place. Instead, the malware installation relies on social engineering tactics.

Therefore, to protect yourself from becoming victims to such malware threats, you are recommended to be careful what you download on your phone and definitely think thrice before side-loading stuff as well.


When you move, Cerberus moves

Payload and string obfuscation are normal techniques for making analysis and detection more difficult, but Cerberus also uses a mechanism that determines if the infected system is moving or not.

The trojan achieves this by reading data from the accelerometer sensor present on Android devices to measure the acceleration force on all three physical axes, X, Y, and Z, also considering the force of gravity.

By implementing a simple pedometer, Cerberus can track if the victim is moving using the code below. A real person will move around, generating motion data and increasing the step counter.

...
this.sensorService.registerListener(this, this.accelerometer, 3);
Sensor localSensor = sensorEvent.sensor;
this.sensorService.registerListener(this, localSensor, 3);
if(localSensor.getType() == 1) {
    float[] values = sensorEvent.values;
    float Gx = values[0];
    float Gy = values[1];
    float Gz = values[2];
    long timestamp = System.curTimeMillis();
    if(timestamp - this.previousTimestamp > 100L) {
        long interval = timestamp - this.previousTimestamp;
        this.previousTimestamp = timestamp;
        if(Math.abs(Gx + Gy + Gz - this.curGx - this.curGy - this.curGz) 
            / (((float)interval)) * 10000f > 600f) {
            this.increaseStepCount();
        }
  
        this.curGx = Gx;
        this.curGy = Gy;
        this.curGz = Gz;
    }
}
...
if(Integer.parseInt(
    this.utils.readConfigString(arg7, this.constants.step)) 

The malware becomes active and starts communicating with the command and control server when a specific number of steps is reached.

This safety check is implemented specifically to avoid running on test devices or in sandbox environments used for malware analysis.

After the user grants the requested privilege, Cerberus starts to abuse it by granting itself additional permissions,  such as permissions needed to send messages and make calls, without requiring any user interaction.

It also disables Play Protect (Google’s preinstalled antivirus solution) to prevent its discovery and deletion in the future.

After conveniently granting itself additional privileges and securing its persistence on the device, Cerberus registers the infected device in the botnet and waits for commands from the C2 server while also being ready to perform overlay attacks.

The commands supported by the analyzed version of the Cerberus bot are listed below. As can be seen, the possibilities offered by the bot are pretty common.

CommandDescription
pushShows a push notification. Clicking on the notification will result in launching a specified app
startAppStarts the specified application
getInstallAppsGets the list of installed applications on the infected device
getContactsGets the contact names and phone numbers from the address book on the infected device
deleteApplicationTriggers the deletion of the specified application
forwardCallEnables call forwarding to the specified number
sendSmsSends a text message with specified text from the infected device to the specified phone number
startInjectTriggers the overlay attack against the specified application
startUssdCalls the specified USSD code
openUrlOpens the specified URL in the WebView
getSMSGets all text messages from the infected device
killMeTriggers the kill switch for the bot
updateModuleUpdates the payload module

Cerberus features

Cerberus malware has the same capabilities as most other Android banking Trojans such as the use of overlay attacks, SMS control and contact list harvesting. 

The Trojan can also leverage keylogging to broaden the attack scope. Overall, Cerberus has a pretty common feature list and although the malware seems to have been written from scratch there does not seem to be any innovative functionality at this time

For example, some of the more advanced banking Trojans now offer features such as a back-connect proxy, screen-streaming and even remote control.

Cerberus embeds the following set of features that allows itself to remain under the radar and successfully perform attacks:

  • Overlaying: Dynamic (Local injects obtained from C2)
  • Keylogging
  • SMS harvesting: SMS listing
  • SMS harvesting: SMS forwarding
  • Device info collection
  • Contact list collection
  • Application listing
  • Location collection
  • Overlaying: Targets list update
  • MS: Sending
  • Calls: USSD request making
  • Calls: Call forwarding
  • Remote actions: App installing
  • Remote actions: App starting
  • Remote actions: App removal
  • Remote actions: Showing arbitrary web pages
  • Remote actions: Screen-locking
  • Notifications: Push notifications
  • C2 Resilience: Auxiliary C2 list
  • Self-protection: Hiding the App icon
  • Self-protection: Preventing removal
  • Self-protection: Emulation-detection
  • Architecture: Modular

Overlay attack

Most Android banking Trojans use overlay attacks to trick the victim into providing their personal information (such as but not limited to: credit card information, banking credentials, mail credentials) and Cerberus is no exception.

In this particular case, the bot abuses the accessibility service privilege to obtain the package name of the foreground application and determine whether or not to show a phishing overlay window, as shown in the following code snippet:

this.foregroundAppPackage = accesibilityEvent.getPackageName().toString();
  
...
  
String target = this.strings.empty;
if(this.strings.CC_apps.contains(this.foregroundAppPackage)) {
    target = this.strings.grabbCC;
}
else if(this.strings.MAIL_apps.contains(this.foregroundAppPackage)) {
    target = this.strings.grabMails;
}
  
try {
    Utils utils = this.utils;
    String v1_10 = target.isEmpty() ? this.foregroundAppPackage : target;
    if(utils.readConfigString(this, v1_10).length() > 10) {
        JSONObject config = new JSONObject();
        config.put(this.strings.params, this.strings.startViewInject);
        config.put(this.strings.packageAppStart, this.foregroundAppPackage);
        config.put(this.strings.nameInject, target);
        config.put(this.strings.packageProject, this.getPackageName());
        config.put(this.strings.packageView, InjectActivity.class.getCanonicalName(););
        Utils utils1 = this.utils;
        utils1.callModule(this, config.toString());
    }
}
catch(Exception e) {
    ...
}

Standard banking trojan features

From the six samples found in the wild, Cerberus poses as a Flash Player application. When it executes on a system, the malware hides its icon and demands increased privileges through the Accessibility Service.

Then it starts granting itself additional permissions that allow it to send messages and make calls without user interaction. According to the researchers, the malware also disabled Google Play Protect to prevent discovery and disinfection.

The set of features available in this trojan are standard and does not show any signs of innovative or special functions like a back-connect proxy, remote control, or screen streaming, which are present in more advanced Android bankers.

Using the functions below, Cerberus manages to keep a low profile for its operations:

Overlaying: Dynamic (Local injects obtained from C2)
Keylogging
SMS harvesting: SMS listing
SMS harvesting: SMS forwarding
Device info collection
Contact list collection
Application listing
Location collection
Overlaying: Targets list update
SMS: Sending
Calls: USSD request making
Calls: Call forwarding
Remote actions: App installing
Remote actions: App starting
Remote actions: App removal
Remote actions: Showing arbitrary web pages
Remote actions: Screen-locking
Notifications: Push notifications
C2 Resilience: Auxiliary C2 list
Self-protection: Hiding the App icon
Self-protection: Preventing removal
Self-protection: Emulation-detection
Architecture: Modular

Mixed set of targets

ThreatFabric found several samples of phishing overlays used by Cerberus to steal credentials for popular email and messaging services, and credit card data.

For the moment, the researchers found in the while only one target list with 30 unique entries. Among the targets are banking apps from France (7), the U.S. (7), Japan (1). Another 15 of them are non-banking apps.

“This uncommon target list might either be the result of specific customer demand, or due to some actors having partially reused an existing target list.” – ThreatFabric

With the help of overlays, the malware tricks the victim into giving sensitive information that ranges from credentials for online services (Outlook, Yahoo, Twitter, WhatsApp, Telegram, Viber, Snapchat, WeChat, Uber)  to payment card and banking info.

Determining when the phishing overlay should be used and which one to load is possible through its increased privileges, which allow it to obtain the package name for the foreground app.

Advertising the service

The operators of the malware advertise their service in the open, without fearing consequences from exposing indicators of compromise and other details.

A Twitter account is used to promote the tool to potential buyers and shows image captures with low or zero detection rates from multiple scanning services. A thread directed at security researchers offers a few details about the malicious APK used with Cerberus and boasts that it is an original creation that spent several years in development.

For hashes of the payload samples detected in the wild and the full list of targets, check ThreatFabric’s report.

Appendix

Samples

Some of the latest Cerberus samples found in the wild:

App namePackage nameSHA 256 hash
Flash Playercom.uxlgtsvfdc.zipvwntdy728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f
Flash Playercom.ognbsfhszj.hqpquokjdpfe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329
Flash Playercom.mwmnfwt.arhkrgajnffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c
Flash Playercom.wogdjywtwq.oiofvpzpxyo6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4
Flash Playercom.hvdnaiujzwo.fovzeukzywfrcfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b
Flash Playercom.gzhlubw.pmevdiexmn3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63

Target list

The actual observed list of mobile apps targeted by Cerberus contains a total of 30 unique applications. This list is expected to expand:

Package nameApplication name
com.android.vendingPlay Market
com.boursorama.android.clientsBoursorama Banque
com.caisseepargne.android.mobilebankingBanque
com.chase.sig.androidChase Mobile
com.clairmail.fthFifth Third Mobile Banking
com.connectivityapps.hotmailConnect for Hotmail
com.google.android.gmGmail
com.imo.android.imoimimo free video calls and chat
com.infonow.bofaBank of America Mobile Banking
com.IngDirectAndroidING
com.instagram.androidInstagram
com.konylabs.capitaloneCapital One® Mobile
com.mail.mobile.android.mailmail.com mail
com.microsoft.office.outlookMicrosoft Outlook
com.snapchat.androidSnapchat
com.tencent.mmWeChat
com.twitter.androidTwitter
com.ubercabUber
com.usaa.mobile.android.usaaUSAA Mobile
com.usbank.mobilebankingU.S. Bank – Inspired by customers
com.viber.voipViber
com.wf.wellsfargomobileWells Fargo Mobile
com.whatsappWhatsApp
com.yahoo.mobile.client.android.mailYahoo Mail – Organized Email
fr.banquepopulaire.cyberplusBanque Populaire
fr.creditagricole.androidappMa Banque
jp.co.rakuten_bank.rakutenbank楽天銀行 -個人のお客様向けアプリ
mobi.societegenerale.mobile.lappliL’Appli Société Générale
net.bnpparibas.mescomptesMes Comptes BNP Paribas
org.telegram.messengerTelegram

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Questo sito utilizza Akismet per ridurre lo spam. Scopri come vengono elaborati i dati derivati dai commenti.