By: Ronald Wilson
Date: October 18, 2020

When it comes to convenience most of us gravitate in the direction with few questions and even fewer answers. Whether it’s physical, mental, or social, most humans desire one step processes versus two. What greater convenience than having monetary access at our fingertips. Too bad the enemy thinks the same way.

Malware in android mobile devices have erupted within the last five years. Banking Trojans such as “Cerberus” and its offspring “Alien”, transformed convenience into containment. With numerous app contributions to google play store, the bad guys have found their way to blend in with the good. What better way than to mimic an application we find the most useful, banking applications.

The conveniency of these applications regulate currency transfers to and from banking accounts. No more waiting in line or racing to a local branch before the doors close to deposit checks. Transactions are completed directly from our mobile devices all around the globe.

However, what happens when that mobile application is no longer secure. In fact, it’s not the mobile banking application you understood it to be. You actually just downloaded Malware, tracking your every keystroke, recording your uploads and reading your messages. You just actually downloaded Cerberus Malware, also known as Alien.

How Cerberus Functions

Cerberus first appeared on the scene in June 2019 as a Remote Access Trojan (RAT), with the ability to perform several malicious acts; (1) Stealing banking credentials, (2) read text messages containing one-time passcodes (OTP) and two-factor authentication (2FA), (3) Ability to uncover covert surveillance, (4) Intercept Communication, and (5) Alter device functionality.

Stealing banking credentials begin with the technique of displaying “Overlays” . Overlays project an illegitimate banking application which appear on top of legitimate banking applications. With forms mimicking actual banking application, data entered such as credentials are recorded on a controlled server owned by the attacker.

Credentials are stored and used later to access banking applications. How does this happen? Once a malicious application is downloaded and opened, the malicious application contacts the server to register the device. A complete list of installed applications on the infected device are transferred to the attacker’s server. The server returns data listing all affected applications installed on the mobile device. Understanding what data is being transferred in transition is quite difficult due to data being encrypted.

After receiving the list of applications stored on the user device, the malicious application gain access to applications installed on the device. The application is then responsible for downloading and storing infections into each targeted application. Injections are created using an HTML file and displayed with “WebView”. Permission must be granted to allow “WebView” (see figure 1) access. Once permission is granted the service runs in the background and sends an event notifying the user has opened an application or is performing an action within the application.

The Cerberus application is now able to receive the package identifier, identifying which application is open and affected. If application is infected, the Trojan will open a new “WebView” of a phishing website.

Now the magic, or for the user, misery begins. Without the user ever noticing an illegitimate website is opened and user credentials (name & passwords) are recorded to the attacker’s server. Once credentials are recorded the window immediately close and user is transferred back to legitimate website.

Not only are credentials recorded, SMS logs are up for grab as well. With the ability to read SMS messages, Cerberus is able to record the verification message sent to mobile device. So much for two step authorization. With access to authorization codes the attacker has full access to authorizing and accessing your account.

Finally, Cerberus has the ability to compromise mobile device contact list. The malware sends the list by making a POST request, and sending information via a php file to the attacker’s server. With the contact list information accessible, malware can be replicated expeditiously to more mobile devices.

Conclusion

A number of functions are executed behind the scene of the malicious malware Cerberus. With command and control of a device private data become vulnerable to an attacker and compromised. Sensitive information leading to your banking account compromised causes great inconvenience in one’s personal life. Conveniency is great until it become an inconvenience. This reminds us to always be careful when using your devices. Nothing is 100% protected. Guarantee if it is today, it won’t be tomorrow. Protect your devices by installing the latest patches and updates to your system. Download applications from legitimate sources and refrain from unknown and untrusted sources.