Saturday, January 25, 2025
HomeAndroidHackers Breached MDM Servers to Install Banking Malware on Android Devices

Hackers Breached MDM Servers to Install Banking Malware on Android Devices

Published on

SIEM as a Service

Follow Us on Google News

Security researchers uncovered that hackers had breached at least 75% of the MDM (Mobile Device Manager) server to install banking malware on Android devices in wide.

MDM is also recognized as EMM (Enterprise Mobility Management); it is a mechanism that is generally used by most of the companies. The company who register for enterprise-owned projects with the corresponding command server to get it more comfortable to accomplish tasks such as addressing company-wide device arrangements, disposing applications, and many more.

But, this recent conflict has now infected across 75% of the company’s devices globally. After installing it, this dangerous Cerberus variant can accumulate huge amounts of delicate data, that comprises users’ private data, and transfer it to a remote command and control (C&C) server.

Cerberus is a banking trojan, and it was initially spotted in June 2019. It simply uses a Malware-as-a-Service (MaaS) business model and allowing the clients who borrow their services to lower their payloads. And not only that, even they also allow the attackers to configure and control the devices that are compromised during their attacks.

HTML popup to steal user’s Gmail credentials.

Factory Reset all registered Devices

After getting access to the company server, which is the MDM, the hackers then start deploying the application, and after that, they managed to breach nearly 75% of companies’ Android devices.

When two malicious apps got installed on a vast number on the company’s devices within a short time, the researchers got curious, and they started to detect the conflict with the help of the breached MDM server.

Here’s what the researchers at Check Point have stated, “This is the first time we have a reported incident of mobile malware distribution that uses the MDM server as an attack vector.”

Moreover, the security researchers at Check Point has also concluded that to get rid of this malware and the ability of the attacker to control the infected Android devices, companies should immediately factory reset all the Android devices registered with the compromised MDM server.

MDM
payload module can receive from the C&C

Securing Access to Compromised Devices

Well, Cerberus simply ensures access to the compromised devices just by preventing the victims’ efforts to uninstall the TeamViewer app.

Apart from this, it obtains admin rights, and simply retard the users to uninstall any apps it requires to execute its ill-disposed tasks and it goes the same with the malware as it simply blocks any users who are trying to remove the app.

MDM
Popup window asking the user to update Accessibility Service.

Moreover, the Cerberus also deactivates the built-in Android malware security system, Google Play Protect, simply by exploiting the Accessibility Service mainly on compromised Android devices as it prevents automatic removal and detection.

MDM

“Managing this type of device implies installing the application, configuring settings, and implementing different types of policies on various devices at a time,” security researchers said.

We can state that this conflict illustrates the significance of knowing the variation between managing and securing mobile devices.

Whereas MDM contributes an accessible method to handle those devices, and more importantly, the security cannot be neglected. But, the conflict of this type happened for the first time, and now people will understand the necessity of managing and securing the devices. 

So, what do you think about this? Simply share all your views and thoughts in the comment section below.

Indicators of Compromise

C2 Server – 91.210.169[.]114

Package NameApplication Namesha256
com.wjnjrmigikmpher.efaunxmGoogle Play 1.04254670ea5f353263570792a8ff4a1e6ea35999c2454fa1ec040786d7be33b69
com.dfxsdgr.qvoorGoogle 1.06291192d0c2
f6318f9a4f345203b35cfe140be53889f9fefdd8e057a4f02e898
com.sakkkwyl.ncceberwpdhfqGTA V 1.03ef8349d4b717d73d31366dfbe941470e749222331edd0b9484955a212080ad8

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Murdoc Botnet Exploiting AVTECH Cameras & Huawei Routers to Gain Complete Control

Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc,...