A new banking trojan has made it to the news owing to its unique code and evasion techniques. Dubbed as Cerberus, the malware specifically targets Android devices. Presently, many attackers are renting it as malware-as-a-service on underground forums.

According to The Hacker News, the author claims that this malware was completely written from scratch and doesn’t reuse code from other existing banking trojans. Researchers who analyzed a sample of the Cerberus trojan found that it has a pretty common list of features including the ability to take screenshots, hijacking SMS messages, stealing contact lists, stealing account credentials, and more.

When an Android device becomes infected with the Cerberus trojan, the malware hides its icon from the application drawer. Then, it disguises itself as Flash Player Service to gain accessibility permission. If permission is granted, Cerberus will automatically register the compromised device to its command-and-control server, allowing the attacker to control the device remotely. To steal a victim’s credit card number or banking information, Cerberus launches remote screen overlay attacks. This type of attack displays an overlay on top of legitimate mobile banking apps and tricks users into entering their credentials onto a fake login screen. What’s more, Cerberus has already developed overlay attacks for a total of 30 unique targets and banking apps.

The creator additionally claimed to be utilizing the Trojan for personal operations for no less than two years earlier than renting it out for anybody from the previous two months at $2000 for 1-month utilization, $7000 for six months and as much as $12,000 for 12 months.

According to security researchers at ThreatFabric who analyzed a sample of Cerberus Trojan, the malware has a pretty common list of features, like:

  • taking screenshots
  • recording audio
  • recording key logs
  • sending, receiving, and deleting SMSes,
  • stealing contact lists
  • forwarding calls
  • collecting device information
  • Tracking device location
  • stealing account credentials,
  • disabling Play Protect
  • downloading additional apps and payloads
  • removing apps from the infected device
  • pushing notifications
  • locking device’s screen

Once infected, Cerberus first hides its icon from the application drawer and then asks for the accessibility permission by masquerading itself as Flash Player Service. If granted, the malware automatically registers the compromised device to its command-and-control server, allowing the buyer/attacker to control the device remotely.

To steal users’ credit card numbers, banking credentials and passwords for other online accounts, Cerberus lets attackers launch screen overlay attacks from its remote dashboard.

For any Cyber Security information contact help@theweborion.com