Cerberus

Cerberus is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of Cerberus claim was used in private operations for two years.[1]

ID: S0480
Type: MALWARE
Platforms: Android
Contributors: Aviran Hazum, Check Point; Sergey Persikov, Check Point
Version: 1.0
Created: 26 June 2020
Last Modified: 30 June 2020

Techniques Used

Domain ID Name Use
Mobile T1432 Access Contact List

Cerberus can obtain the device’s contact list.[1]

Mobile T1418 Application Discovery

Cerberus can obtain a list of installed applications.[1]

Mobile T1412 Capture SMS Messages

Cerberus can collect and send SMS messages from a device.[1]

Mobile T1476 Deliver Malicious App via Other Means

Cerberus has been delivered to the device via websites that prompt the user to "[…] install Adobe Flash Player" and then downloads the malicious APK to the device.[3]

Mobile T1407 Download New Code at Runtime

Cerberus can update the malicious payload module on command.[1]

Mobile T1523 Evade Analysis Environment

Cerberus avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.[1]

Mobile T1417 Input Capture

Cerberus can record keystrokes.[1]

Mobile T1516 Input Injection

Cerberus can inject input to grant itself additional permissions without user interaction and to prevent application removal.[1][2]

Mobile T1411 Input Prompt

Cerberus can generate fake notifications and launch overlay attacks against attacker-specified applications.[1]

Mobile T1478 Install Insecure or Malicious Configuration

Cerberus disables Google Play Protect to prevent its discovery and deletion in the future.[1]

Mobile T1430 Location Tracking

Cerberus can collect the device’s location.[1]

Mobile T1444 Masquerade as Legitimate Application

Cerberus has pretended to be an Adobe Flash Player installer.[3]

Mobile T1406 Obfuscated Files or Information

Cerberus uses standard payload and string obfuscation techniques.[1]

Mobile T1437 Standard Application Layer Protocol

Cerberus communicates with the C2 server using HTTP.[2]

Mobile T1508 Suppress Application Icon

Cerberus hides its icon from the application drawer after being launched for the first time.[1]

Mobile T1426 System Information Discovery

Cerberus can collect device information, such as the default SMS app and device locale.[1][2]

Mobile T1509 Uncommonly Used Port

Cerberus communicates with the C2 over port 8888.[2]

Mobile T1576 Uninstall Malicious Application

Cerberus can uninstall itself from a device on command.[1]

References