Tuesday, November 12, 2024
HomeAndroidMaaS - Rent an Android Malware "Cerberus" From Underground Forums To Control...

MaaS – Rent an Android Malware “Cerberus” From Underground Forums To Control Any Android Device Remotely

Published on

Malware protection

Researchers discovered a new Android malware “Cerberus” that is being rented (Malware-as-a-service) on underground forums for the last two year and the malware used for various private operation.

Unlike other banking trojans such as Anubis that derives the code from other banking trojans, Cerberus developed for several years from scratch and is not using any trojan parts and code.

Android Malware Cerberus

Malware author or threat group who developed this Android malware Cerberus has made a public statement on official twitter account about the malware features, share the Virustotal detection screenshot, promotional videos, and also directly community with security researcher anonymously.

- Advertisement - SIEM as a Service
https://www.youtube.com/watch?v=dMu0JzyucZ0

Researchers believe that this kind of unusual behavior for seeking attention and growing the malware rental business.

Before Cerberus, another famous rental malware RedAlert, and Anubis was being sold in underground forums but the life span of this rental malware is less likely no more than 2 years.

“Due to this Cerberus will come in handy for actors that want to focus on performing fraud without having to develop and maintain a botnet and C2 infrastructure”

Cerberus developers using obfuscation technique to evade the detection and protect from analyzing the trojan.

Cerberus Android Malware Infection Process

Once the malware infects the device, it hiding the icon and requesting the permission for the accessibility service privilege.

After gaining the Accessibility service, Cerberus granting the additional privileges such as send messages, make calls without any further user interaction.

During the installation process, it also disables the Google play protect to prevent the detection and gain additional permission to register the infected device with its botnet and waiting for commands from the controller of the malware.

According to Threat Fabric research, Cerberus can perform the following attack without detecting by the security software.

Overlaying: Dynamic (Local injects obtained from C2)
Keylogging
SMS harvesting: SMS listing
SMS harvesting: SMS forwarding
Device info collectionContact list collection
Application listing
Location collection
Overlaying: Targets list update
SMS: Sending
Calls: USSD request making
Calls: Call forwarding
Remote actions: App installing
Remote actions: App starting
Remote actions: App removal
Remote actions: Showing arbitrary web pages
Remote actions: Screen-lockingNotifications: Push notifications
C2 Resilience: Auxiliary C2 list
Self-protection: Hiding the App icon
Self-protection: Preventing removal
Self-protection: Emulation-detection
Architecture: Modular

It is also capable of launch an overlay attack to trick victims to give away sensitive details such as credit card information, banking credentials, mail credentials, and more.

Android Malware Cerberus
Overlay attack to steal Credit card data (Source: Threat Fabric )

“Even though Cerberus have sold in underground forums with a variety of features, it doesn’t contain a full-blown set of Android banking malware features (such as RAT, RAT with ATS (Automated Transaction Script), back-connect proxy, media streaming), or providing an exhaustive target list, Cerberus should not be taken lightly”. researchers said.

Sponsored:  – Manage all the Endpoint networks from a single Console.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information...

ToxicPanda Banking Malware Attacking Banking Users To Steal Logins

Recent research has uncovered a new strain of malware developed for Android devices, initially...