A currency converter application in the Google Play store was found to be designed to deliver the Cerberus banking Trojan. The app which was downloaded by more than 10,000 users was discovered by researchers from AVAST.
The malware-as-a-service Cerberus has appeared in the threat landscape in August 2019. It is an Android RAT developed from scratch and does not borrow code from other malware.
The malicious code was first analyzed by researchers at Threat Fabric and according to them, Cerberus implements features similar to other Android RATs. It lets operators to take full control over infected devices.
The malware implements banking Trojan capabilities such as the use of overlay attacks, the ability to intercept SMS messages and access to the contact list.
Taking screenshots, recording audio, recording keylogs, sending, receiving, and deleting SMSes, stealing contact lists, forwarding calls, collecting device information, tracking device location, stealing account credentials, disabling Play Protect, downloading additional apps and payloads, removing apps from the infected device, pushing notifications and locking device’s screen.
The authors also implemented the ability to steal 2FA code from the Google Authenticator app abusing the Accessibility Privileges.
The app was disguised as a Spanish currency converter called “Calculadora de Moneda” and it targeted users in Spain.
According to the analysis report published by AVAST, the app hid its malicious intentions for the first few weeks while being available on the store. This might be to secretly acquire users before starting any malicious activities, which could have attained the attention of malware researchers or Google’s Play Protect team. So, the app was downloaded more than 10,000 times. The issue was reported to Google, so that it could be removed easily.
The bogus app was initially used as a dropper which was updated later. The researchers from Threat Labs found that the malicious code was receiving command from a C2 to download a Cerberus banker in the form of an APK.
The Cerberus banking Trojan monitors users’ activity and display fake login pages while the victim is visiting certain banking applications. The Trojan can steal the user’s login credentials and bypass two-factor authentication.
The command and control server then disappeared and the currency converter app on Google Play no longer contained the malicious code. This is a technique used by the operators to avoid detection.
AVAST recommends the users to ensure that they use a verified banking app, use two-factor authentication, download applications only from trusted app stores, check the ratings of new applications, and verify the permissions required by any application. It is also suggested to use a mobile security solution to stay protected.
Image Credits : Information Age