Thursday, March 28, 2024

MaaS – Rent an Android Malware “Cerberus” From Underground Forums To Control Any Android Device Remotely

Researchers discovered a new Android malware “Cerberus” that is being rented (Malware-as-a-service) on underground forums for the last two year and the malware used for various private operation.

Unlike other banking trojans such as Anubis that derives the code from other banking trojans, Cerberus developed for several years from scratch and is not using any trojan parts and code.

Android Malware Cerberus

Malware author or threat group who developed this Android malware Cerberus has made a public statement on official twitter account about the malware features, share the Virustotal detection screenshot, promotional videos, and also directly community with security researcher anonymously.

https://www.youtube.com/watch?v=dMu0JzyucZ0

Researchers believe that this kind of unusual behavior for seeking attention and growing the malware rental business.

Before Cerberus, another famous rental malware RedAlert, and Anubis was being sold in underground forums but the life span of this rental malware is less likely no more than 2 years.

“Due to this Cerberus will come in handy for actors that want to focus on performing fraud without having to develop and maintain a botnet and C2 infrastructure”

Cerberus developers using obfuscation technique to evade the detection and protect from analyzing the trojan.

Cerberus Android Malware Infection Process

Once the malware infects the device, it hiding the icon and requesting the permission for the accessibility service privilege.

After gaining the Accessibility service, Cerberus granting the additional privileges such as send messages, make calls without any further user interaction.

During the installation process, it also disables the Google play protect to prevent the detection and gain additional permission to register the infected device with its botnet and waiting for commands from the controller of the malware.

According to Threat Fabric research, Cerberus can perform the following attack without detecting by the security software.

Overlaying: Dynamic (Local injects obtained from C2)
Keylogging
SMS harvesting: SMS listing
SMS harvesting: SMS forwarding
Device info collectionContact list collection
Application listing
Location collection
Overlaying: Targets list update
SMS: Sending
Calls: USSD request making
Calls: Call forwarding
Remote actions: App installing
Remote actions: App starting
Remote actions: App removal
Remote actions: Showing arbitrary web pages
Remote actions: Screen-lockingNotifications: Push notifications
C2 Resilience: Auxiliary C2 list
Self-protection: Hiding the App icon
Self-protection: Preventing removal
Self-protection: Emulation-detection
Architecture: Modular

It is also capable of launch an overlay attack to trick victims to give away sensitive details such as credit card information, banking credentials, mail credentials, and more.

Android Malware Cerberus
Overlay attack to steal Credit card data (Source: Threat Fabric )

“Even though Cerberus have sold in underground forums with a variety of features, it doesn’t contain a full-blown set of Android banking malware features (such as RAT, RAT with ATS (Automated Transaction Script), back-connect proxy, media streaming), or providing an exhaustive target list, Cerberus should not be taken lightly”. researchers said.

Sponsored: Best Practices to Strengthen Cyber Security – Manage all the Endpoint networks from a single Console.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles