Android banking trojan stealing money: no antivirus software can detect it
Threat actors are actively targeting Android users with a new variant of the Cerberus Android banking trojan. The malware, in development since 2019, has evolved to dynamically switch command and control servers and its sophisticated infection chain complicates detection and removal, the Cyble Research and Intelligence Labs (CRIL) reports.
Cybercriminals have been ramping up dangerous attacks since September.
No antivirus engines have detected the retooled version of Cerberus. To evade detection, the trojan now includes session-based droppers, native libraries, and encrypted payloads. It employs keylogging, overlay attacks, and VNC (Virtual Network Computing, a remote screen-sharing protocol).
The campaign generates domains on the fly using a Domain Generation Algorithm to change command and control (C&C) servers.
Cyble researchers first suspected they were looking at a completely new malware variant. A deeper analysis revealed code similarities to Cerberus, which was first identified in 2019. They dubbed the new campaign ErrorFather after the corresponding Telegram Bot ID.
“We have identified approximately 15 samples related to the ErrorFather campaign, including session-based droppers and their associated payloads,” the researchers said.
They noted that the attacks are ongoing, and some C&C servers are still active.
Attackers rely on users making a mistake – falling for social engineering lures. The malware masquerades as legitimate banking or authentication apps or updates and uses Google Play and Chrome icons. Attackers use phishing sites for malware distribution.
How the new fork is different?
The Cerberus Android Banking Trojan was first identified in 2019 on underground forums as a tool for rent used for financial fraud. The leaked codebase was quickly expanded into multiple forks, with some campaigns targeting hundreds of financial and social media apps.
The current campaigns use a multi-stage dropper. The first stage is an application that drops and installs the second stage from its assets. It employs a session-based installation technique bypassing restricted settings.
The second-stage dropper requests dangerous permissions and services, but the code implementation is missing, indicating that the malware is packed. It immediately loads and decrypts a file for final payload execution.
The final stage contains malicious functionalities for keylogging, overlay, remote communication, and personal data collection. It also uses a domain generation algorithm to switch between C&C servers when the primary server is unavailable. Not a single antivirus engine on VirusTotal detected the final payload file.
After installation and establishing a connection with the main C&C server, referred to by the threat actor as “PoisonConnect,” the malware receives a list of four additional C&C servers,” researchers said.
The malware uses encrypted communications and utilizes the Istanbul timezone for time and date.
The Cerberus fork carries out many malicious activities on the device. It sends data such as key logs, app lists, contacts, captured screenshots, device status, and other logs and data. It can also steal SMS or send messages, record audio, and make calls.
When the potential target (app) is identified, the malware overlays a fake phishing page over the legitimate app to trick the victim into entering login credentials or credit card details.
The malware can mimic user interaction, performing clicks and various gestures to input data and uninstall itself when the attackers are done.
Cyble researchers recommend sticking with the best security practices, such as only downloading official apps from official sources, ensuring that Google Play Protect is enabled, being careful with permissions, not clicking on suspicious links delivered to the phone via SMS or emails, among other things.
Comments
Your email address will not be published. Required fields are markedmarked