In June 2019, cyber security researchers announced the discovery of Android banking malware named Cerberus. They found that unlike older banking malware, such as Anubis 2 and RedAlert 2 that use string obfuscation to evade detection, Cerberus, which claims to be fully undetectable (FUD), infects devices by masquerading as an Adobe Flash Player installation to gain access permission. It also does not show up in the device’s application drawer but later abuses the accessibility permission to allow an attack using botnet and C2 server.
Researchers say that the malware uses the infected device’s accelerometer to evade being analyzed in sandboxes or on test devices. After ascertaining the device is an actual device this way, the Trojan considers device to be safe to operate. It then activates the bot to attack the affected device.
Malware researchers at ESET, a Europe-based cyber security lab, however, says that what differentiates Cerberus from previous banking malware is its creators’ use of the social media platform Twitter to pitch their creation out of the dark web, the place where generally banking malware is usually marketed to stay under the radar.
In fact, the creators of Cerberus have been audacious by openly engaging in discussion with the developer community on Twitter, and even mocking its members at times. In one of the tweets posted by ESET detailing Cerberus’ modus operandi in August last year, the Twitter handle @AndroidCerberus replied “nice job) with love from Ukraine <3,” while the handle profile says that the creator is based in Texas, USA. It is not, however, independently verifiable where Cerberus’ creator is based.
A few months later in September 2019, the security firm Buguroo revealed that it had detected a new version of Cerberus targeting Spanish and Latin American entities.
Until recently the Twitter account was also being used to promote the malware, with the account brazenly purporting to help “people who want to plunge into the black business” with discounts and support. A tweet containing the pricing information was tweeted on November 28, 2019. It said that the malware was available for USD 3,500 with a three-month license, USD 5,500 with a six-month license, and USD 9,000 with a 12-month license. It said that the malware could be rented after contacting the seller via a thread on a Russian Cross-Site Scripting forum xss.is.
In October 2019, the same account tweeted that new injections had been added that indicated that the malware was then capable of targeting banks in the US, Australia, Italy, India (SBI and ICICI), Turkey, The Netherlands, France, Spain, and the UK. It also claimed that the Amazon shopping app and CoinBase could be infected too. Another mobile security website has reported that the target countries now also include entities in Latin American countries. The developers’ Twitter account says that the full list of entities can be accessed via the forum.
In late December 2019, the same Twitter account said that the developers’ Telegram account was blocked and that those intending to buy the malware could inquire via the XMPP instant messaging service Jabber.
In January 2020, the same account tweeted that it had stopped using Twitter and moved entirely to the xss.is forum with links to its thread and profile, which was named Cerberus v2, indicating that its developers are now selling a newer version of the malware.
Banking malware is not a new phenomenon, and, over the years, new players have emerged when older ones stop receiving support, their source code is leaked, or law gets better of their developers. When one malware goes out of business, developers usually copy its source code to develop new ones. However, such malware are relatively easy to detect and do not stay in the market for long, as detection software tend to catch them with relative ease. Nevertheless, the demand for such malware dictates the emergence of new players from time to time. Before Cerberus came to the market in 2019, RedAlert and Anubis were the dominant players. However, it is believed that while the developer behind RedAlert decided to quit, the players behind Anubis were arrested even though a few clones of the latter having the same source code – its source code was leaked – appeared on the dark web. Nevertheless, their void was filled by the emergence of Cerberus, which, its developers claim, is unique because its source code has been written completely from scratch.
The Cerberus malware can harvest contact lists, control the SMS feature, and steal things like passwords in the infected device by capturing the screen overlay. It then passes on that data back to the operator of the attack via the C2 server. Unlike other malware, Cerberus’ developers themselves are not known to attack victims directly. Instead, as stated above, the developers license the malware to interested parties who generate the malicious APKs through its inbuilt automated tool. This means that the attack will not be limited to a handful of entities, but will infect whoever its “renters” choose to target, thus giving it a world-wide scope.
Alongside the standard evasion techniques utilized by malware, Cerberus uses another trick. It uses the pedometer function in the smartphone to hold off from activating and subsequently being detectable until a certain specified step count is reached. If the victim is a real person, then the malware will eventually correctly activate. However, if any sandboxes or other tests used by malware analysts are used, it will remain invisible. Once on the device, it will hide its icon from the application drawer and request the accessibility service privilege, after which it will go on to grant itself further permissions until it can do all manner of things, from overlay attacks, SMS harvesting, device information collection, and remote installs among 19 other features it has at its disposal.
Attacking Two-Factor Authenticators
It is being reported on security blogs that since the start of the year, the malware’s samples may also have acquired a feature to extract and steal passcodes from Google’s two-factor authentication (2FA) app, called Authenticator, for several accounts. The Authenticator app is an alternative to SMS-based authentication method. These stolen codes can be used to bypass the additional 2FA security layer on online services, such as banks, email services, messaging apps, and social media networks. While SMS-based authentication uses unsecure network to deliver the passcode, the Authenticator app generates a six-to-eight-digit passcode in the user’s device itself and is therefore considered to be more secure. Cerberus’ 2FA code theft module is not the first one spotted in the wild so far, with previous cases of malware capable of this stunt being discovered by the cyber security companies ESET and Symantec. Those strains were targeting SMS-based two-factor authentication to bypass 2FA protection.
The ability to sidestep multi-factor authentication – something very few malware strains have previously been able to execute – positions Cerberus among an elite class of Trojans. However, the new version of Cerberus, launched in January 2020, uses the accessibility privileges it had already gained to read the passcode generated by the Authenticator app and sends it back to the handling C2 server. The researchers say that the version being sold on various dark web hacking forums still does not have this feature. They believe that it could be due to the reason is that the feature is still be in the testing phase. Nevertheless, the present version of the malware can already gain access to the contact list of a victim’s device, send SMSes, take screenshots, and steal user credentials.
Researchers from Nightwatch Cybersecurity delved into the root cause that enabled this attack, that is, the Authenticator app which allowed its content to be screenshot in the first place. The Android OS allows apps to protect their users by blocking other apps from being able to take screenshots of their content. This is done by adding a “FLAG_SECURE” option inside the app’s configuration. Researchers found that Google did not add this flag to the Authenticator app despite the fact that the app handles significantly sensitive content. The Nightwatch researchers feel that Google could have fixed this issue as early as October 2014, when this misconfiguration was first brought to its attention by someone on GitHub. Furthermore, Nightwatch researchers raised this very point again in 2017, when they reported it to Google’s security team. In addition, they also found that Microsoft’s Authenticator app for Android also featured (and still features) the same misconfiguration that allows its screen to be captured as a screenshot.
What is surprising is that the newer version of Cerberus comes with even superior capabilities, as it uses the new TeamViewer-based remote-access Trojan (RAT) capability that allows it to gain access to the file system of the infected device, giving the handlers full access to the device. The access, researchers say, can give handlers the power to change the device’s settings as well as install or uninstall any app, in addition to using the full functionality of any app just like its owner can. It further allows handlers to track the infected device. They argue that RATs make fraudulent transactions substantially harder to detect as they are made from the victim’s phone and needs a solution that is embedded in the victim’s phone to be detected.
This new RAT module can be used by Cerberus’ operators to manage apps on the infected Android devices, change a device’s settings, as well as use any of the apps installed, just like the device’s owner can. Using RAT capabilities, the malware can simply prompt the infected device’s user to unlock their device using an overlay. It then goes on to steal the victims’ screenlock codes or credentials and then remotely unlocks the device to perform a malicious act when the victim is not using the device.
Given that the newer version of the malware now comes with overcoming the 2FA used in most banking apps, it can even perform malicious task on apps that have an extra layer of security. Significantly, this means that hackers have now capabilities to create malware that virtually brings app-based 2FA to the same security level as the SMS-based 2FA.
In February 2020, a malware researcher discovered a coronavirus-themed Android application which, many say, belongs to the Cerberus malware family. While it cannot be confirmed independently who developed the app, the purported Twitter account reacted to the researcher’s tweet saying, “nice.” The researcher highlighted in her tweet that the app is a variant of the Cerberus malware.
Limitations and Protection
It is hard to put defenses up for a malware whose USP is that it is undetectable. Cerberus’ creators have the unusual habit of trolling the AV community via screenshots of how many anti-virus software are unable to detect it. In July 2019, after posting a screenshot of eight AV software being able to detect the malware, the Twitter account posted on the same day another screenshot highlighting how the Cerberus creators had filled the lacunae, taunting that “All AV is NOOBS!!!!”
Hacking forums are where a malware like this is put up for sale or rental. While less advanced versions of Cerberus have been up for a while on such forums, thankfully its most advanced version has not been spotted there yet. So, mass use of the malware is yet to be a risk. It seems the only versions out there currently are being used privately. So, for now, at the very least, the scale of this problem is not too large. If this malware does, however, get posted to one of these forums and becomes publicly available, it has the potential to be a global problem.
Security professionals can help their organizations defend against Cerberus malware and similar threats by investing in a unified endpoint management (UEM) platform for the purpose of monitoring mobile devices and tracking how they report to the network environment. Companies should also leverage artificial intelligence-powered tools to track threats like Cerberus that use evasion tactics and other techniques to fly under the radar.
Cyber security experts advice that users should be careful what they download or attach to the device. Using an infected flash drive, for example, can also expose a device to potential risk if it is already infected. Experts advise that users should click on links with caution, especially those inside spam emails or text messages from unknown sources.
In addition, from an app developer’s perspective, security experts recommend a mobile application security layer, such as provided by AppSealing, to protect an app from a malware attack or unauthorized attack. Since AppSealing’s dashboard allows real-time analytics on attacks made on an app, its developers can smell a fishy activity instantly and offer a remedy to their users.
To secure your applications without any additional coding, click on the link below to know more about AppSealing and sign-up for a free trial.