Recently, many popular Android Trojans (such as Anubis, Red Alert 2.0, GM-bot and Exobot) have stopped their activities in the field of malware-as-a-service. However, new players are already taking their place. For example Android Banker Cerberus.Experts from the Amsterdam-based company ThreatFabric discovered the new Android malware Cerberus.
Cerberus does not exploit any vulnerabilities and is distributed exclusively through social engineering. It allows attackers to establish full control over an infected device, and has functions of a classic banker, such as using overlays, SMS control, and extracting a contact list.
The author of this malware, who is very active on social networks in general and Twitter in particular, and openly makes fun on information security experts and the anti-virus industry, claims that the malware was written from the scratcg and does not use the code of any other banking Trojans.
“Autor also state that the code is written from scratch and is not using parts of other existing banking Trojans unlike many other Trojans that are either based completely on another Trojan (such as the leaked Anubis source code that is now being resold) or at least borrow parts of other Trojans. After thorough analysis we can confirm that Cerberus was indeed not based on the Anubis source code”, — confirm ThreatFabric researchers.
The virus writer also claims that he personally used Cerberus for his operations for at least two years before deciding to lease the malware to everyone. A month of renting a banker will cost $2,000, half a year $7,000 and a year renting a malware will cost up to $12,000.
In general, Cerberus has a fairly standard feature set. So, he is capable of:
- taking screenshots;
- recording audio;
- intercepting keystrokes;
- sending, receive and delete SMS;
- storing contact lists;
- forwarding calls;
- collecting device information;
- tracking device location;
- stealing credentials;
- disabling Play Protect protection;
- downloading additional applications and payloads;
- removing applications from an infected device;
- showing push notifications;
- locking screen of the device.
After infection, Cerberus first hides its icon, and then requests the rights it needs (through the Accessibility Service), masking itself as a Flash Player.
Perhaps the most interesting feature of this malware is the method by which Cerberus avoids detection. The malware reads data from the accelerometer and, using a simple pedometer, can track whether the victim is moving.
Read also: Trojan Varenyky spies on porn sites users
This helps to avoid running on test devices or in the sandbox. As a result, the malware is activated and begins to interact with the management server, only by counting a certain number of steps.
Currently, ThreatFabric specialists have discovered several samples of fishing operations used by Cerberus to steal credentials and bankcard information. So, among the goals of malware are banking applications from France (7), the USA (7) and Japan (1) and 15 more applications that are not related to banks (including Outlook, Yahoo, Twitter, WhatsApp, Telegram, Viber, Snapchat, WeChat, Uber).