Banking trojans, malware-as-a-service (MaaS), and others are just some of the terms used by security researcher’s to define malware types and cybercrime. This jargon can come to be a headache for some and a nightmare for others when they find out their bank accounts have been cleaned out. With the emergence of Cerberus, a banking trojan sold as a service to rent to any interested party is now filling a gap in the market left by other such trojans which also rented out their services who have subsequently thrown in the towel. Like those that have stopped operations Cerberus actively targets mobile phones running Android.
In an article published by researchers from security firm ThreatFabric, has revealed details about the trojan, named after the mythological three-headed dog who guarded the gates to the underworld. Before Cerberus is looked at, it is wise to unpack exactly what a banking trojan is as well as the MaaS business model. Banking trojans, particularly those targeting mobile devices, are pieces of malware which disguise themselves as legitimate apps which when installed are designed to steal credentials, particularly those for banking apps. Once the correct credentials are stolen the hacker could access the victims banking app and account allowing for the withdrawal of funds fraudulently. MaaS can be seen as the malware equivalent to the software-as-a-service business model. Rather than leasing out the services of a software package, malware authors rent out their malware with some others even providing technical support to their less than moral customers.
The malware author behind Cerberus has been vocal on Twitter, mocking those in the InfoSec community protecting systems, be they, researchers or anti-virus producers. The author also goes to Twitter to advertise their product.
According to the author, the malware is coded from scratch, reuses no other code, and has been active for two years using the trojan privately. Current costs for rental of the malware will cost a cybercriminal 2000 USD for a month, 7000 USD for six months, and 12000 USD for a full year. As to the features of the malware they are the expected features a banking trojan should have. These features include:
- Taking screenshots
- Recording audio
- Recording key logs
- Sending, receiving, and deleting SMS
- Stealing contact lists
- Forwarding calls
- Collecting device information
- Tracking device location
- Stealing account credentials
- Disabling Play Protect
- Downloading additional apps and payloads
- Removing apps from the infected device
- Pushing notifications
- Locking device's screen
According to ThreatFabric once the malware infects the victim it hides within the application draw and asks for permissions to be granted pretending to be a Flash Player service. Once permissions are granted the malware automatically registers the compromised device to its command-and-control server. This allows the attacker remote control of the device. To get the victim to hand over banking credentials the malware performs a screen overlay attack. Such an attack involves the malware overlaying a screen over a legitimate app screen to trick the user. In this case, the malware overlays a screen which looks like the banking app to trick victims into handing over their credentials in much the same way a phishing attack will be carried out. Cerberus is currently targeting 30 banking or similar financial services apps, including French, US, and Japanese institutions. Researchers noted,
“Most Android banking Trojans use overlay attacks to trick the victim into providing their personal information (such as but not limited to: credit card information, banking credentials, mail credentials) and Cerberus is no exception. In this particular case, the bot abuses the accessibility service privilege to obtain the package name of the foreground application and determine whether or not to show a phishing overlay window.”
Another interesting feature of Cerberus is how it attempts to evade analysis by researchers and anti-virus producers. The malware monitors the accelerometer of the mobile device to register if there is movement such as walking. If the device is a sandbox or emulator it is assumed no movement would be detected. The malware takes this as an example of being in a sandbox and does not execute, hopefully preventing analysis. As researchers stated,
“The Trojan uses this counter to activate the bot—if the aforementioned step counter hits the pre-configured threshold it considers running on the device to be safe. This simple measure prevents the Trojan from running and being analyzed in dynamic analysis environments (sandboxes) and on the test devices of malware analysts.”
For malware authors offering their creations as a rentable service has proved to be an increasingly popular way to generate more income. The authors of GandCrab ransomware are a very recent example of how successful such a scheme can be. For those defending networks, the dangers posed by such schemes is increased, as the entry barrier for infecting victims is reduced. Now, a budding cybercriminal with no knowledge of how to code only need to understand how to distribute the malware. To hit the broadest market those behind the schemes often provide clear instructions into how to deploy the malware as well as technical support similar to that offered by a legitimate software as a service company, this further reduces the entry barrier into carrying out a banking credential theft campaign. It is believed that cybercrime is set to surpass the illegal drug trade in terms of profitability. As these MaaS schemes prove to be a popular and profitable side hustle for malware authors this trend will continue.