Cerberus Android Banking Trojan

Cerberus: Android Banking Trojan Leaked to the Underground and Reused in Modern Attacks

Cerberus is a modular Android banking Trojan that allows attackers to steal credentials, intercept two-factor authentication codes, track keystrokes, and remotely control infected devices. Initially sold via a malware-as-a-service (MaaS) model on underground forums, Cerberus became widespread before its source code was leaked in 2020, leading to a wave of new variants. It remains dangerous due to its extensive capabilities and reuse by low-skilled threat actors.

Introduction to Cerberus

Cerberus abuses Android's accessibility services to automate interactions, record keystrokes, and display fake login overlays over legitimate banking apps. It can forward stolen credentials and OTPs to attackers in real time, enabling full account takeovers. Its MaaS distribution model, paired with a user-friendly control panel, made it accessible to cybercriminals, while the leaked source code ensures continued evolution.

---

1. How Cerberus Works

Infection Mechanism:
Cerberus is delivered through:

• Malicious apps impersonating utilities, Flash players, or productivity tools
• Fake Google Play Store updates
• Third-party app stores and phishing links
• Some campaigns used dropper apps to install Cerberus silently after initial install

Payload Execution:
Once installed and granted accessibility permissions, Cerberus:

• Displays overlay login pages on top of banking apps to steal credentials
• Logs keystrokes entered in any field
• Intercepts SMS messages, including OTPs and 2FA codes
• Captures Google Authenticator codes by taking screenshots
• Sends data to a command-and-control (C2) server in real time
• May install TeamViewer or other remote tools for full remote control

---

2. History and Notable Campaigns

Origin and Discovery:
Cerberus emerged in mid-2019, advertised on dark web forums as a full-featured Android RAT and banking Trojan. It was developed as a commercial malware offering monthly subscriptions to cybercriminals.

Notable Campaigns:

• Used to target banks in Spain, France, Germany, Italy, the U.S., and the U.K.
• In July 2020, the Cerberus source code was leaked on a hacker forum, enabling widespread adaptation
• Post-leak variants began appearing under new names, sometimes modified to evade modern Android defenses
• Integrated into automated phishing kits, fake COVID-19 apps, and crypto wallet scams

---

3. Targets and Impact

Targeted Victims and Sectors:

• Android users in financial, government, and retail sectors
• Victims of phishing campaigns or third-party app store downloads
• Apps from major banks, e-wallets, and cryptocurrency platforms

Consequences:

• Account takeover through stolen login credentials and 2FA codes
• Financial loss from unauthorized transactions
• Exposure of sensitive personal information, including contacts, SMS, and device metadata
• Potential for device hijacking through remote access components

---

4. Technical Details

Payload Capabilities:

• Keylogging and clipboard monitoring
• Overlay attacks on over 200 banking apps
• SMS interception and call log access
• Exfiltration of Google Authenticator codes via screenshots
• Remote control (RAT functionality)
• Anti-analysis features, including emulator detection and code obfuscation

Evasion Techniques:

• Delays execution in sandbox environments
• Uses encryption and dynamic code loading
• Detects emulators or researcher environments and hides behavior
• Can self-delete or uninstall antivirus apps
• Delivered through modular droppers to evade Google Play scanning

---

5. Preventing Cerberus Infections

Best Practices:

• Install apps only from the official Google Play Store
• Avoid side-loading APKs from unknown sources
• Be cautious of apps requesting accessibility or SMS permissions
• Keep Android devices and apps updated regularly
• Use biometric authentication instead of passwords for financial apps

Recommended Security Tools:

• Android antivirus apps with banking Trojan detection (e.g., Bitdefender, Malwarebytes, Avast)
• Google Play Protect, with real-time scanning enabled
• Enterprise Mobile Threat Defense (MTD) platforms
• Alerting systems for users when accessibility is abused

---

6. Detecting and Removing Cerberus

Indicators of Compromise (IoCs):

• Apps requesting unnecessary accessibility permissions
• Unexpected behavior in banking or finance apps
• SMS forwarding or silent notification access
• Sudden battery drain or device overheating
• Obfuscated or oddly named apps installed without consent

Removal Steps:

1. Revoke accessibility permissions from suspicious apps
2. Use a mobile malware scanner to identify and remove Cerberus
3. Perform a factory reset if the device remains compromised
4. Change credentials to any apps accessed on the device
5. Monitor financial accounts and report suspicious activity

Professional Help:
For high-risk users, such as enterprise employees or victims of financial theft, contact mobile security professionals or your organization’s incident response team for forensic review and device replacement.

---

7. Response to a Cerberus Infection

Immediate Steps:

• Power off the infected device
• Use a clean device to reset all passwords and revoke app access
• Inform your bank or financial provider
• If applicable, report fraud and identity theft to authorities
• Avoid restoring from backups unless verified as clean

---

8. Legal and Ethical Implications

Legal Considerations:
Cerberus is classified as malware under most national cybersecurity laws. Its use for credential theft and unauthorized access carries serious criminal penalties for distribution and deployment.

Ethical Considerations:
Despite being a commercial offering, Cerberus has been used almost exclusively for malicious purposes. The leak of its source code has fueled a wave of financial cybercrime, illustrating the broader ethical danger of commercial malware development.

---

9. Resources and References

• ThreatFabric: Cerberus — A new banking Trojan from the underworld
• Cleafy: Android Banking Trojan Reports
• MITRE ATT&CK for Mobile Techniques:
  • T1636.004 (Protected User Data: SMS Messages)
  • T1056 (Input Capture)
  • T1125 (Video Capture)
  • T1429 (Audio Capture)
  • T1406 (Obfuscated Files or Information)

---

10. FAQs about Cerberus

Q: What is Cerberus malware?
An Android banking Trojan that steals credentials, bypasses 2FA, and enables remote control of the infected device.

Q: How does Cerberus spread?
Through malicious apps, phishing, fake updates, or dropper apps from unofficial sources.

Q: Can Cerberus steal 2FA codes?
Yes — it intercepts SMS-based OTPs and can screenshot Google Authenticator codes.

Q: Is Cerberus still active?
The original service shut down, but many variants live on, repackaged and reused due to the leaked source code.

---

11. Conclusion

Cerberus remains a cautionary tale of what happens when commercial malware escapes into the wild. Originally a premium tool for cybercriminals, its leaked code has led to countless clones and attacks. Defending against Cerberus requires a combination of user vigilance, mobile security tools, and strict app permission controls.

 

 

« Back to the Virus Information Library

« Back to the Security Center