Cerberus – A New Android Malware
By Chaitra V M
Cerberus is a new Android banking trojan and has emerged as a new Malware-as-a-service.
Cerberus is a Remote Access Trojan were the infected Android devices, are taken control by remote attackers and have the capabilities of banking trojan like SMS control, harvesting of the contact list and the use of overlay attacks.
Cerberus is developed from scratch and doesn’t borrow or re-use any code from any other malware or banking trojans and is available for rent.
Cerberus infects Android devices, by hiding its icon from the application drawer, and posing itself as Flash Player Service and then asking permission for accessibility. When the victim grants the permission of authorizations, the malware grants itself additional permissions and to prevent discovery it disables Google Play Protect. It then registers the infected devices to its command-and-control server and part of botnet making it available for rent.
Cerberus enables screen overlay malicious attacks to steal sensitive and financial data including banking credentials and passwords, credit card numbers from the victims by displaying an overlay on top of legitimate banking apps in mobile and tricks victims to provide credentials into the fake login screen.
With the help of overlays, the malware tricks victims by providing information from WhatsApp, Uber, Telegram, Twitter and other online services.
Cerberus uses few techniques to evade detection and prevent its analysis, by use of accelerometer sensor to detect the victim’s movements. The malware monitors the victim’s movement through the sensor to verify if it is running on real Android devices. If the victim’s device lacks sensor data, the malware will not run the malicious code assuming that the sandbox for malware scanning is an emulator with no motion sensors.
Cerberus malware relies on social engineering tricks and does not exploit any vulnerability on the infected or the targeted devices for automatic installation.