Android banking trojan Cerberus is being rented on the dark web

The new Cerberus malware enters the scene equipped with amazing capabilities

Criminals distribute Cerberus, the Trojan horse as a service which can carry out many bogus operations

Criminals have not so long ago created and released a banking Trojan dubbed Cerberus into the wild, and it targets Android users. The new malware strain is being offered for rent on the underground hacking forums – malicious actors operate a so-called malware-as-a-service scheme. Packed with numerous capabilities, the trojan has taken places from past cyber threats such as Exobot^[1] and Anubis^[2] which were also spread as malware as a service but have quit their activities since then.

Cerberus Trojan authors claim that Cerberus is far beyond the renown Anubis, source code of which was recently leaked online. The malware can take full control of the mobile phone by using remote technologies and also perform other banking malware-related tasks. These functions include controlling SMS texts, spying on contact information, stalking private user data, etc. Besides, the virus pretends to be a fake Flash Player or another software update to make its way to the destination point.

Cerberus trojan is sold for thousands for everybody who can afford it

What is very interesting about Cerberus malware is the way it utilizes its services. While the purposes remain the same, the operation principle and techniques used by this trojan significantly differ from its predecessors. Cerberus is known to run its own unique code for carrying out various tasks.

According to the Cerberus developer, the malware has already been active for at least two years was also being distributed for private operation throughout that time. Now, the malware is presented as a service that can be bought by any user who can afford it. However, the malware-as-a-service does not come cheap – Cerberus is offered for $2,000 monthly, $7,000 bi-yearly, and $12,000 yearly.

Nevertheless, The developer of the trojan actively communicates with security scene via the a Twitter account, also promotes the malicious application:^[3]

Everything is written from scratch, and developed over several years. If you are interested in buying this product, write in PM on the forum.

The dangerous Trojan virus includes numerous different function modules

Cerberus Trojan virus was investigated more in-depth by various cybersecurity specialists and was found to be carrying different types of modules. Some of them include recording keystrokes, taking screenshots remotely, managing SMS texts, performing mobile phone calls, stalking contact data, device, and private user information, spying on the current location, removing and installing programs, delivering ads, locking the screen, etc.^[4]

Without a doubt, such actions might not only result in the data compromise of the infected device user but also people that are present in contacts, including family members, coworkers, etc. The stolen information can later be placed on the Dark web for same, so affected users might have problems with their credit scores, have funds transferred away from their bank accounts or even face the identity theft.

If excessive data harvesting seems like a fair game for a banking trojan, Cerberus can also eliminate crucial applications, disable antivirus protection, and even ruin Android device:^[5]

After the user grants the requested privilege, Cerberus starts to abuse it by granting itself additional permissions, such as permissions needed to send messages and make calls, without requiring any user interaction. It also disables Play Protect (Google's preinstalled antivirus solution) to prevent its discovery and deletion in the future. After conveniently granting itself additional privileges and securing its persistence on the device, Cerberus registers the infected device in the botnet and waits for commands from the C2 server while also being ready to perform overlay attacks.

It is known that Cerberus malware uses clever spoofing tricks to steal user credential data. It displays a fake but legitimately-looking banking mobile app log-in screen, which users use to enter their login information without having a clue that something is off. As observed by security researchers, the malware can successfully mimic banking apps of American, Japanese, and French users.

Cerberus uses sophisticated anti-malware tool avoidance techniques to retain persistence

Another very intriguing feature of Cerberus is its way of avoiding anti-malware detection. First of all, the trojan catches the user's physical steps, which are a sign that the malware is running on an actual device. If user steps are discovered, the malware can easily activate the bot and run its functions, however, if no movement is detected, the malicious payload will not be launched.

Cerberus trojan is a dangerous malware strain that no one expects to find on their mobile devices. It is vital to undertake adequate measures in order to avoid the infection of the newly-discovered banking trojan. Always be careful while installing new apps to your device or updating old ones. Search for clues that verify the legitimacy (or not) of the pending update/download.