What is Cerberus
Here, we’re not talking about the antitheft app for Android that is also named “Cerberus”. We’re talking about a banking trojan developed for Android back in June of 2019. ThreatFabric has found that this Android malware has recently been enhanced with new tricks of a Remote Access Trojan (RAT). It can give cyber criminals remote access to the infected device. It can be any device that can install apps, including phones and tablets.
Cerberus has some scary power over the infected device. It can download and remove apps, as well as disable Play Protect. Play Protect helps keep Android devices safe by scanning apps for malware, so being able to disable it allows Cerberus to download more malware.
The horror doesn’t end there. Cerberus also functions as invasive spyware, with its ability to steal files, take screenshots, record audio, read your location, change device settings, and grab your credentials, including the key for your screen. On top of that, Cerberus has access to SMS messages and phone calls. Pretty much anything that a criminal could do to your phone in person, they can do using Cerberus.
With the stolen screen locking pattern (or PIN code), criminals can unlock and use the infected phone at any time without the victim’s notice.
Banking Trojan
As banking has become more easily available online, cybercriminals began trying to exploit that. Banking trojans are malicious apps designed to steal people’s money from their online bank accounts. Trojans are malware designed to look like safe, useful apps. Often, people download and install these apps intentionally, not realizing that they’re inviting malware on their device.
2-factor authentication is enough to protect your bank account from most threats, but Cerberus now may have a way around it: it can steal the codes generated by Google Authenticator.
Google Authenticator is an app that some websites and apps use for the second step of authentication. You can download Google Authenticator from the App Store and use it to confirm your identity for whatever sites and services accept it.
ThreatFabric, the authors of the new Cerberus’ analysis, pointed out that these new functions might not yet be released. So, this is something to be careful of in the near future.
Like Emotet, Cerberus is malware-as-a-service: it’s developed by one team, but used by many others. Multiple groups of cybercriminals rent Cerberus and then use it to stage and commit their own crimes. This allows Cerberus to be highly targeted. Your language, location, and your bank or business, however niche, can still be a lucrative target for a specialized team of hackers.
How to stay safe
Besides Cerberus, there are many other mobile spyware and Trojan infections: RedDrop (spyware), Judy (an ad clicker), AnubisCrypt (ransomware), GhostTeam (info stealer), etc. Luckily, there are ways to protect yourself – or at least to improve your security. Cybercriminals tend to look for the easiest targets, so even security that is less than perfect can be immensely helpful.
A small malware infection, such as adware, often leads to a more serious infection. So it’s important to stop the problem before it can even occur. You have a better chance avoiding Cerberus and other mobile malware by keeping a few tips in mind:
- use a good antivirus app,
- install apps from trusted sources,
- only install official apps,
- check the developers of the apps you download,
- refuse intrusive and unnecessary permissions,
- be careufl of phishing messages.
Consider using a reputable security program on your device. Some Cerberus versions are detected by many mobile antivirus tools, here is an example on VirusTotal (fnd more in ThreatFabric’s post). Also, install all software updates for your Android and your apps. Software updates often include important security patches that were recently discovered.
RATs like Cerberus tend to come to phones and tablets inside of infected or fake apps. These apps may be copies of real apps and have full functionality as it’s described on their store pages – and still be malicious. So, always download apps from the Play Store and check their permissions to make sure they’re justified. Do not grant permission if it doesn’t make sense to you. Also, don’t download hacked apps or apps from uncertain sources.
Finally, be very careful of scam and phishing messages, emails, and sites. If you get a prize for a competition you didn’t participate in, be careful, because it’s probably a scam. If a site asks for your password when you’re already logged in, check if you’re not on a fake site. Your stolen credentials could be used to hack your accounts later.
ThreatFabric: 2020 - Year of the RAT