For the most part, Google has made several great strides in preventing malware from abusing the Google Play app store. Better security policies and procedures help prevent the Android user base from increasingly becoming victims supporting a hacker’s needs. That being said, it is not impossible for malware to find its way onto the app store, more often than not hidden behind the illusion of being a useful app. Cerberus has achieved just that being discovered by researchers hidden behind a currency converter targeting Spanish users. Cerberus is a relatively new banking trojan discovered in June 2019, primarily designed to infect Android devices and steal private banking information which the attackers use to turn a profit, either selling on banking details or using the details themselves to commit fraud. Initially, upon the malware’s discovery, the banking trojan was being offered as a Malware-as-a-Service (MaaS) by renting out the malware to other hackers as well as providing technical support, often in a parody of the Software-as-a-Service business model.
According to a report published by Avast, researchers discovered that an app, “Calculadora de Monedaí” translated directly to English as money converter, had been downloaded over 10,000 times onto a wide variety of Android devices. Mobile devices are a favored target of hackers because of the wide array of functions the device will have in day to day operations. They are work and personal tools which if left unsecured can grant an attacker access to personal banking information, access to corporate networks and sensitive information people may be ashamed of if released to the wider public. Just for this reason alone, the malware authors of Cerberus have a reason to target mobile devices running the Android OS. It has gotten harder for hackers to abuse the app store but not impossible and requires a high level of cunning on the behalf of the attacker.
Initially, the app managed to bypass the security barriers placed by Google by simply being what it said on the tin, a currency converter, converting currency for users who downloaded the app initially in March when it was placed on the app store. It was from this point that the app slowly began to gain trust from users and would have resulted in more downloads. Once the attackers had deemed that enough trust was achieved, dormant code in the app was activated which turned the currency converter into a dropper for Cerberus. The triggering of dormant code resulted in the app connecting to a command and control server which further instructed the app to download an additional Android Application Package (APK) to devices. Once the APK was executed Cerberus would then be dropped on the victim's device.
Malware Functionality and Increased Risk
Once installed on the victim’s device Cerberus creates an overlay which it places on existing financial and banking apps found on the device. Once the user attempts to access one of these apps and enters their credentials those are then stolen by the overlay and sent to a command and control server under the hacker’s control. Avast further noted that the malware is sophisticated enough to steal read text messages including one-time passcodes (OTP) messages sent by financial institutions as well as two-factor authentication (2FA) messages. These controls are put in place to add another level of security for users and that Cerberus can circumvent these controls does increase the risk posed by the malware.
The risk posed by Cerberus was further increased in February 2020, when researchers from ThreatFabric discovered that the abilities to circumvent security controls could also be used to steal OTPs generated via Google Authenticator, a security application designed as an alternative to SMS-based 2FA passcodes. At the time the malware was believed to be capable of interfacing with Google Authenticator and then swipe the relevant content and send it to the attacker’s command and control server. Researchers concluded that,
“Until now, the end of February 2020, no advertisement for these features has yet been made in underground forums. Therefore, we believe that this variant of Cerberus is still in the test phase but might be released soon. Having an exhaustive target list including institutions from all over the world, combined with its new RAT capability, Cerberus is a critical risk for financials offering online banking services. Whether in its target list or not, it is easy for its operators to enhance the list to target additional apps,”
Fortunately, this functionality does not appear to have been used in the campaign discovered by Avast as no mention was made of instances of Google Authenticator being bypassed. It does appear that the Cerberus code has been disabled by attackers with researchers noting,
“The C&C server in question and its malware payload was only active for most of yesterday, during which time, users of the currency converter app were downloading the banking Trojan malware. However, as of yesterday evening, the command and control server had disappeared and the currency converter app on Google Play no longer contained the Trojan malware. Although this was just a short period, it’s a tactic fraudsters frequently use to hide from protection and detection i.e. limiting the time window where the malicious activity can be discovered.”
Despite Cerberus being a relatively new malware, its full features make it a risk to Android users. A further risk is added by those using the malware adopting tactics such as the hiding of code and then the quick use in a campaign to help prevent discovery. All in all, this makes for a worrisome package capable of turning someone’s day into a financially motivated nightmare. The ability of the malware to intercept OTP and 2FA messages again shows the risk posed by the malware. This places Cerberus amongst some of the most dangerous banking trojans currently wreaking havoc amongst victims.
If the ability to bypass Google Authenticator is proved to be reliable and an ace up the sleeve for the malware’s creators, Cerberus then would rank amongst some of the world’s elite hacker groups and developers. By being able to bypass Google Authenticator a hacker would be able to 2FA measures on the application granting access to online banking accounts. Further, nothing could stop the hacker bypassing such measures attached to email inboxes, coding repositories, social media accounts, intranets, and others. Historically, creating malware capable of doing this was reserved for advanced persistent threat groups, including well-resourced and funded state-sponsored groups like APT20 and an even smaller number of malware strains like Android.Bankosy which was capable of intercepting voice-based 2FA calls. Researchers, in that case, summarised the perversion of these security measures as,
“What does two-factor authorization using voice calls involve? In a typical 2FA system, the second factor—normally a generated one-time passcode (OTP)—is sent to the user’s registered mobile number through SMS. In the past, we have seen several cases where the malware installed on the victim’s device snooped on or intercepted the incoming SMS containing the OTP. To improve the security of OTP delivery, some financial organizations started delivering OTP through voice calls instead of SMS. Of course, malware creators have already devised ways to take advantage of this development.
So how does Android.Bankosy take advantage of voice-based 2FA? Once the malware is installed on the victim’s device, it opens a back door, collects a list of system-specific information, and sends it to the command and control (C&C) server to register the device and then get a unique identifier for the infected device. If the registration is successful, it uses the received unique identifier to further communicate with the C&C server and receive commands.”
Security researchers often recommend that 2FA be enabled wherever possible. It is advice that has also been given by the writer on several occasions. With banking trojans now capable of reading and intercepting 2FA messages is that advice now completely redundant. The simple answer is no. Although a threat to be taken seriously and safeguards to be developed to prevent 2FA being exploited in such a way it is still incredibly useful at preventing a large majority of attacks. Based on that alone advising the use of 2FA is still vital security best practice that is far from redundant. What Cerberus and the other small group of elite malware do show is that security protocols can be improved but for the most part it is still easier for hackers to use other tried and tested methods like phishing emails to get the job done which are easier than developing entirely new code.