A brand new banking trojan for Android units depends on the accelerometer sensor to delay its working on the system and thus evade evaluation from safety researchers.

Cerberus malware has not too long ago stepped into the malware-as-a-service enterprise filling the void left by the demise of earlier Android bankers. 

The malware writer(s) declare that it was used privately for the previous two years and that they created Cerberus from scratch over a number of years.

Safety researchers from Amsterdam-based cybersecurity firm ThreatFabric analyzed a pattern of the malware and located that it didn’t borrow from Anubis, an Android banker whose supply code acquired leaked, sparking the creation of clones.

If you transfer, Cerberus strikes

Payload and string obfuscation are regular strategies for making evaluation and detection tougher, however Cerberus additionally makes use of a mechanism that determines if the contaminated system is transferring or not.

The trojan achieves this by studying information from the accelerometer sensor current on Android units to measure the acceleration power on all three bodily axes, X, Y, and Z, additionally contemplating the power of gravity.

By implementing a easy pedometer, Cerberus can observe if the sufferer is transferring utilizing the code under. An actual individual will transfer round, producing movement information and growing the step counter.

this.sensorService.registerListener(this, this.accelerometer, 3);
Sensor localSensor = sensorEvent.sensor;
this.sensorService.registerListener(this, localSensor, 3);
if(localSensor.getType() == 1) {
float[] values = sensorEvent.values;
float Gx = values[0];
float Gy = values[1];
float Gz = values[2];
lengthy timestamp = System.curTimeMillis();
if(timestamp – this.previousTimestamp > 100L) {
lengthy interval = timestamp – this.previousTimestamp;
this.previousTimestamp = timestamp;
if(Math.abs(Gx + Gy + Gz – this.curGx – this.curGy – this.curGz)
/ (((float)interval)) * 10000f > 600f) {

this.curGx = Gx;
this.curGy = Gy;
this.curGz = Gz;

this.utils.readConfigString(arg7, this.constants.step))

The malware turns into energetic and begins speaking with the command and management server when a selected variety of steps is reached.

This security verify is applied particularly to keep away from working on take a look at units or in sandbox environments used for malware evaluation.

Normal banking trojan options

From the samples discovered within the wild, Cerberus poses as a Flash Participant utility. When it executes on a system, the malware hides its icon and calls for elevated privileges by way of the Accessibility Service.

Then it begins granting itself extra permissions that enable it to ship messages and make calls with out person interplay. Based on the researchers, the malware additionally disabled Google Play Defend to stop discovery and disinfection.

The set of options out there on this trojan are commonplace and doesn’t present any indicators of progressive or particular features like a back-connect proxy, distant management, or display screen streaming, that are current in additional superior Android bankers.

Utilizing the features under, Cerberus manages to maintain a low profile for its operations:

Overlaying: Dynamic (Native injects obtained from C2)
SMS harvesting: SMS itemizing
SMS harvesting: SMS forwarding
Machine information assortment
Contact listing assortment
Utility itemizing
Location assortment
Overlaying: Targets listing replace
SMS: Sending
Calls: USSD request making
Calls: Name forwarding
Distant actions: App putting in
Distant actions: App beginning
Distant actions: App elimination
Distant actions: Exhibiting arbitrary internet pages
Distant actions: Display screen-locking
Notifications: Push notifications
C2 Resilience: Auxiliary C2 listing
Self-protection: Hiding the App icon
Self-protection: Stopping elimination
Self-protection: Emulation-detection
Structure: Modular

Blended set of targets

ThreatFabric discovered a number of samples of phishing overlays utilized by Cerberus to steal credentials and bank card information.

For the second, the researchers discovered within the whereas just one goal listing with 30 distinctive entries. Among the many targets are banking apps from France (7), the U.S. (7), Japan (1). One other 15 of them are non-banking apps.

“This unusual goal listing may both be the results of particular buyer demand, or on account of some actors having partially reused an current goal listing.” – ThreatFabric

With the assistance of overlays, the malware methods the sufferer into giving delicate info that ranges from credentials to on-line providers to cost card and banking information.

Figuring out when the phishing overlay ought to be used and which one to load is feasible by way of its elevated privileges, which permit it to acquire the bundle title for the foreground app.

Promoting the service

The operators of the malware promote their service within the open, with out fearing penalties from exposing indicators of compromise and different particulars.

A Twitter account is used to advertise the software to potential patrons and reveals picture captures with low or zero detection charges from a number of scanning providers. A thread directed at safety researchers provides just a few particulars concerning the malicious APK used with Cerberus and boasts that it’s an authentic creation that spent a number of years in growth.

YouTube is one other promoting channel. A video presentation on Google’s platform goes by way of the command and management capabilities and demonstrates interplay with an contaminated system from entry to distant elimination process.

Bot administration is completed by way of a console that makes it straightforward for the administrator to push varied instructions to the compromised system.


For hashes of the payload samples detected within the wild and the complete listing of targets, verify ThreatFabric’s report.

Leave a Reply

Notify of