Cerberus: A new Android «banking malware for rent» emerges

A new Android banking trojan is being rented out on underground forums by a group that likes to engage with the security community publicly via Twitter. Dubbed Cerberus, the new remote access trojan allows attackers to take control over infected Android devices, and also comes with banking trojan capabilities like the use of overlay attacks, SMS control, and contact list harvesting.

Knowledge of the threat landscape and implementation of the right tools remains crucial to be able to protect your business from fraud. Promon SHIELD™ protects banking apps against a wide range of attack vectors, including overlay attacks, screenshots, and keylogging.

Banking apps at risk

When the malware is started it begins by hiding its icon from the application drawer, then asking for accessibility permission by masquerading itself as Flash Player Service. When privilege is granted, Cerberus grants itself additional permissions and disables Play Protect (Google’s preinstalled antivirus solution) to prevent discovery. After securing its persistence on the device, Cerberus registers the infected device in the botnet and waits for commands from the C2 server–while also being ready to perform overlay attacks.

By letting attackers launch overlay attacks from a remote dashboard, Cerberus enables malicious players to steal sensitive data such as credit card numbers, banking credentials and passwords. Cerberus has the same capabilities as most other Android banking trojans, and according to Threat Fabric, a pretty common feature list:

  • Taking screenshots
  • Recording audio
  • Recording keylogs
  • Sending, receiving and deleting SMS
  • Stealing contact lists
  • Forwarding calls
  • Collecting device information
  • Stealing account credentials
  • Disabling Play Protect
  • Downloading additional apps and payloads
  • Removing apps from infected devices
  • Pushing notifications
  • Locking device screens

Threat Fabric believes Cerberus contains overlay attack templates for a total of 30 targets, including 14 French and US banking apps.

Protect your business!

Most mobile banking apps are unfortunately lacking vital security features and are thus highly vulnerable to attacks. Although not mature enough to provide the equivalent of a full-blown set of Android banking malware features, Cerberus should not be taken lightly. Researchers from Threat Fabric believes it could even evolve to compete with the mightiest Android banking trojans in the near future.