Cerberus
Cerberus is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of Cerberus claim was used in private operations for two years.[1]
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Mobile | T1432 | Access Contact List | ||
Mobile | T1418 | Application Discovery | ||
Mobile | T1412 | Capture SMS Messages | ||
Mobile | T1476 | Deliver Malicious App via Other Means |
Cerberus has been delivered to the device via websites that prompt the user to "[…] install Adobe Flash Player" and then downloads the malicious APK to the device.[2] |
|
Mobile | T1407 | Download New Code at Runtime |
Cerberus can update the malicious payload module on command.[1] |
|
Mobile | T1523 | Evade Analysis Environment |
Cerberus avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.[1] |
|
Mobile | T1417 | Input Capture | ||
Mobile | T1516 | Input Injection |
Cerberus can inject input to grant itself additional permissions without user interaction and to prevent application removal.[1][3] |
|
Mobile | T1411 | Input Prompt |
Cerberus can generate fake notifications and launch overlay attacks against attacker-specified applications.[1] |
|
Mobile | T1478 | Install Insecure or Malicious Configuration |
Cerberus disables Google Play Protect to prevent its discovery and deletion in the future.[1] |
|
Mobile | T1430 | Location Tracking | ||
Mobile | T1444 | Masquerade as Legitimate Application |
Cerberus has pretended to be an Adobe Flash Player installer.[2] |
|
Mobile | T1406 | Obfuscated Files or Information |
Cerberus uses standard payload and string obfuscation techniques.[1] |
|
Mobile | T1582 | SMS Control | ||
Mobile | T1437 | Standard Application Layer Protocol | ||
Mobile | T1508 | Suppress Application Icon |
Cerberus hides its icon from the application drawer after being launched for the first time.[1] |
|
Mobile | T1426 | System Information Discovery |
Cerberus can collect device information, such as the default SMS app and device locale.[1][3] |
|
Mobile | T1509 | Uncommonly Used Port | ||
Mobile | T1576 | Uninstall Malicious Application |