Home Malware Programs Trojans Cerberus

Cerberus

Posted: August 15, 2019

Cerberus is a banking Trojan that compromises Android devices for compromising their users' bank accounts. Since the threat is being rented out to other criminals on the dark Web, its infection vectors could vary between attacks. Users should turn off Internet connections and delete Cerberus with an appropriate anti-malware product immediately before changing their passwords and other credentials.

The Dog from Hades Gets into Thievery

Although Cerberus is, by its theme of Greek myth, a guard dog, a new threat actor entrepreneur is putting an ironic spin on the name. The dev team's project, the Cerberus banking Trojan, specializes in collecting data from bank accounts and hijacking transactions, which it does through conventional overlay attacks. Other aspects of Cerberus's operations and history do a surprisingly good job of setting it apart from the generic, Anubis code-based Trojans of yore.

First and foremost, Cerberus's threat actor is behaving unusually casually for people in an illicit business. They use social media for taunting the cyber-security community, even to the point of compromising some minor aspects of their Trojan's design in screenshots and maintain a consistent stream of promotional material for any prospective clients. Although Cerberus doesn't offer all of the most sophisticated features of some banking Trojans, such as reverse proxy or RAT capabilities, the Trojan is uniquely-designed without relationships to old threats. This trait can enhance its appeal in the underground market.

Cerberus lacks some attack functions but includes a range of others, such as:

  • Cerberus can run a keylogger that records typed information into an uploadable text file.
  • Cerberus can harvest the user's contact lists for addresses.
  • Cerberus can send SMS messages or make calls (after gaining initial permission from the user during its setup).

However, all of these are, arguably, less vital than Cerberus's overlay, which places a transparent graphical layer on top of the user's browser. This feature assists with compromising bank accounts and transactions, although, for now, Cerberus is limiting itself to a highly-curated list of banking businesses, most of which are in France or the United States.

Banishing a Money-Gnawing Hound Back to the Hell

The creativity of Cerberus's threat actor concerns more than social media platforms like Twitter. They also express some unorthodox, problem-solving ideas in their anti-detection features. Cerberus, like most banking Trojans, includes protection against analysis environments and sandboxes. However, it does so by tracking the user's footsteps through an accelerometer; in other words, a non-mobile or simulation environment never triggers the botnet functions. This feature only works due to Cerberus's Android-specific environmental preferences.

The first permission request of Cerberus's installation is the most visible evidence of its presence that a victim will acquire before worse attacks commence. As a general rule, users should avoid granting permissions to applications before verifying their safety. Once Cerberus has this approval, it can give more permissions to itself without needing any more consent.

Android-compatible anti-malware services should delete Cerberus as a threat – although the Trojan does take steps against Google-brand solutions like Play Protection, which users shouldn't depend on solely.

Cerberus is coming into the Internet at a rocky time for the banking Trojan sector and leveraging psychological tools to its benefit. Although its bite is narrowly-aimed, there's no telling what else it may target, as 2019 changes seasons.

Loading...