Researchers discovered Cerberus, Android banking Trojan (Malware-as-a-Service), in 2019. This Android malware is rented or auctioned out on underground forums, and is primarily leveraged to target users to steal their financial data, such as credit card details. The operators behind Cerberus made several futile attempts to sell its source code on underground forums, and instead released it for free.
The ease at which it is available stirs concern as it increases the threat surface proportionally. The lifespan of popular on-rent Android banking Trojans is usually not more than one or two years (as shown below). Although ransomware-for-hire is not a rare deployment model, previous trends show that once the source code for malware is released, it attracts countermeasures and possibly a new version of the malware itself.
Fig1. Android Trojans and their origin and end date
Cerberus is usually spread via phishing campaigns and fake SMSs taking advantage of COVID-19, installations from untrusted sources, and using cracked versions of software where users are tricked into installing malware on their smartphones.
Infection and Propagation Vector
Not long ago, Cerberus was detected being spread disguised as a Spanish currency converter (called “Calculadora de Moneda”). To avoid initial detection, the app hides its malicious intentions the first few weeks while being available on Google Play store. Later, the code is added to the source code of the currency converter, which is known as a “Dropper Code” among researchers. Then, the application starts deploying malware silently onto users’ devices. The application is connected to a command-and-control server (C2), which further has an additional malicious android application package (APK), Cerberus.
Now when the malware is executed on the device, it will hide its icon from the application drawer and request for accessibility service privilege as shown below.
Fig2. Permission Access
Once the user grants the requested privilege, Cerberus abuses it by allowing itself additional permissions without any user interaction. It also disables Play Protect (Google’s pre-installed antivirus solution) to prevent the app’s discovery and deletion in the future. Then, the Trojan registers the infected device in the botnet and waits for commands from the C2 server while getting ready to perform overlay attacks. Examples of phishing overlays are as shown below in fig 3.