Cerberus banking Trojan infiltrates Google Play
Security researchers have discovered the Cerberus banking Trojan disguised as a legitimate currency app on Google Play.
On Tuesday, the cybersecurity team at Avast said the malicious app in question posed as a legitimate currency converter app designed for Spanish users.
In total, the software, “Calculadora de Moneda,” — translated as Currency Calculator — has been downloaded over 10,000 times.
Our mobile devices, including smartphones and tablets, are now often key products that are used not only for communication with friends and family, but also for entertainment, work, and as gateways to our financial accounts.
As a result, mobile malware has become a common threat today. To try and keep malicious apps off our devices, vendors including Google and Apple have established strict security measures for software hosted in their official, trusted app repositories.
On occasion, however, threats still manage to slip the net.
The malicious app bypassed Google’s security barriers by posing and acting as a legitimate app for the first few weeks after being accepted into Google Play. It appears that as users began to download the app in March, the software, at first, did not cause any harm and actually acted as a legitimate — and useful — utility.
However, after instilling trust in the growing user base, the app then triggered dormant code that became a dropper for the Cerberus Trojan.
Code that connected Calculadora de Moneda to a command-and-control (C2) server activated several weeks later, commanding the app to download an additional Android Application Package (APK) to devices.
Once executed, the APK dropped Cerberus, a relatively new Trojan that has been in circulation since June 2019.
The malware creates an overlay across existing banking and financial apps. Cerberus will lurk in the background, waiting for a user to input their account credentials, of which this information is then stolen and sent to the attacker’s C2.
Avast noted that the malware is sophisticated enough to read your text messages — often used to deliver one-time passcodes (OTP) — as well as grab two-factor authentication (2FA) details. These security measures are intended to further protect our online banking sessions, but Cerberus can circumvent these controls.
As reported by ZDNet in February, ThreatFabric researchers examining strains of Cerberus said that these capabilities can be used to steal OTPs generated via Google Authenticator, designed as an alternative to SMS-based 2FA passcodes.
On Monday, Avast researchers noted that as of the evening, the C2 server vanished and Cerberus disappeared from the currency conversion app. This does not mean, however, that the app should not still be considered malicious — and a threat.
“Although this was just a short period, it’s a tactic fraudsters frequently use to hide from protection and detection i.e. limiting the time window where the malicious activity can be discovered,” Avast says.
Google has been told of the researcher’s findings.
ZDNet has reached out to Google and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0