Cerberus

Recap from the September 26th, 2019 CISO/Security Vendor Relationship Podcast

by Lydia Pert

You have probably heard about some Android Trojans like Anubis, Red Alert 2.0, GM bot, and Exobot — these pesky viruses have already made their rounds and done a fair share of damage. Although they are no longer circulating in the malware-as-a-service realm, a new version with similar capabilities has appeared on the Internet, offering Android bot rental services to anyone with the desire to buy.

This new Android malware is called Cerberus, and it steals credentials by using a downloaded fake app. This malware avoids detection by using the phone’s accelerometer to confirm that the infected target is a real device — and not on the screen of a security analyst. The app actually counts a number of physical footsteps taken by the phone’s owner, and deploys once the required number has been reached. According to ESET researcher Lukas Stefanko, more than 560,000 users have downloaded Cerberus infected apps onto their phones.

Cerberus gains accessibility permission by masquerading itself as Flash Player Service. If permission is granted, the malware automatically registers the compromised device to its command-and-control server, allowing the buyer/attacker to control the device remotely. Here’s a shortlist of what this malware can do:

  1. take screenshots
  2. record audio
  3. record keylogs
  4. steal contact lists
  5. forward calls
  6. collect device information
  7. track device location
  8. steal account credentials

According to The Hacker News, Cerberus lets attackers launch screen overlay attacks from its remote dashboard to steal users' credit card numbers, banking credentials, and passwords. As Swati Khandelwal explained, “In screen overlay attack, the Trojan displays an overlay on top of legitimate mobile banking apps and tricks Android users into entering their banking credentials into the fake login screen, just like a phishing attack.”

This might sound like a consumer issue, but it is wildly relevant to businesses as well because this malware can spread from a single infected device, throughout the entire organizational network. When an employee downloads or installs an infected app or piece of software, the malware can spread throughout the entire device. Once the malware enters the computer, it attaches itself to different files and overwrites the data, and can even travel within the network and infect other connected devices. Just like a sick employee can get the entire office sick, and infected device can cause major issues for the whole business.

Preventing Cerberus

There is no 100% secure way of preventing malware like Cerberus, which means companies must continue to rely on the conjoined forces of their own infosec team paired with an as-a-service specialists to watch for exploitable weaknesses that hide in plain sight. Business leaders should also take the time to get employees caught up on good cyber practices:

  1. Don’t download questionable apps.
  2. Remove unused software and programs.
  3. Don’t engage with suspicious emails.
  4. Don’t call fake tech support numbers.
  5. Don’t believe random phone calls.
  6. Use strong passwords and/or password managers.
  7. Make sure you’re on a secure connection.
  8. Log out of websites after you’re done.
  9. Use firewall, anti-malware, anti-ransomware, and anti-exploit technology.
  10. Invest in a reputable VPN.

By ensuring that employees are being responsible with work devices, you can reduce the chances of someone bringing he Cerberus malware to work.

Share this story:

Disabling a Firewall
KNOB Attack
IoT Data