Cerberus

Cerberus is an Android banking trojan first discovered in June 2019 and active since 2017 that is available for sale on the Russian hacking forum xss[.]is. The trojan can be rented for three, six, or twelve months for a cost of $4,000, $7,000, or $12,000, respectively. Cerberus has been advertised via the twitter account @AndroidCerberus. The actors behind the trojan developed an APK builder and an inject generator, and advertise that their starter kits come prepackaged with injects for users in the US, France, Turkey, and Italy, and most victims thus far are in the banking sector.

Cerberus is advertised to have the following capabilities:

• Sending SMS
• Interception SMS
• Hidden interception of SMS
• Device lock
• Mute sound
• Keylogger (messengers, WhatsApp, telegram secret, banks, etc., except browsers!)
• Execution of USSD commands
• Call forwarding
• Opening the fake page of the bank
• Run any installed application
• Push Bank Notification (Auto Push - determines which bank is installed)
• Open url in browser
• Get all installed applications
• Get all the contacts of their phone book
• Get all saved SMS
• Remove any application
• Self-destruct bot
• Automatic confirmation of rights and permissions
• A bot can have several spare url to connect to the server
• Injects (html + js + css, download to the device and run from disk, poor connection or lack of internet will not affect the operation of injects)
• Grabber cards
• Grabber mail
• Automatic inclusion of injections through the time specified in the admin panel
• Automatically shut off Google Play Protect + disconnect after the time specified in the admin panel
• Anti-emulator (Bot starts working after device activity)

Technical Details and Reporting

• Anomali provides in-depth analysis into the Cerberus Android banking trojan in their blog post.