Malicious app in Google Play used to deliver Cerberus Banking Trojan

Pierluigi Paganini July 08, 2020

Experts found a tainted app in the Google Play store that was downloaded by more than 10,000 users and that was delivering the Cerberus banking Trojan.

Researchers from AVAST have discovered a currency converter application in the Google Play store that was downloaded by more than 10,000 users and that was designed to deliver the Cerberus banking Trojan.

The malware-as-a-service Cerberus has emerged in the threat landscape in August 2019, it is an Android RAT developed from scratch that doesn’t borrow the code from other malware.

According to researchers at Threat Fabric who first analyzed the malicious code, Cerberus implements features similar to other Android RAT, it allows operators to full control over infected devices.

The malware implements banking Trojan capabilities such as the use of overlay attacks, the ability to intercept SMS messages and access to the contact list.

  • taking screenshots
  • recording audio
  • recording keylogs
  • sending, receiving, and deleting SMSes, 
  • stealing contact lists
  • forwarding calls
  • collecting device information
  • Tracking device location
  • stealing account credentials, 
  • disabling Play Protect
  • downloading additional apps and payloads
  • removing apps from the infected device
  • pushing notifications
  • locking device’s screen

Now the authors implemented the ability to steal 2FA code from the Google Authenticator app abusing the Accessibility Privileges.

“The ‘genuine’ app in this case, posed as a Spanish currency converter called “Calculadora de Moneda”. According to our research, hid its malicious intentions for the first few weeks while being available on the store. This was possibly to stealthily acquire users before starting any malicious activities, which could have grabbed the attention of malware researchers or Google’s Play Protect team.” reads the analysis published by AVAST. “As a result, the app has been downloaded more than 10,000 times so far. We reported it to Google, so they can quickly remove it.”

The malicious code, disguised as a currency converter named Calculadora de Moneda, targeted Android users in Spain, it was able to fly under the radar for weeks after its upload to Google Play.

Avast researchers already reported to Google their findings.

The experts noticed that the bogus app was initially used as a dropper, and was updated later. In the last couple of days, researchers from Threat Labs noticed that the malicious code was receiving command from a C2 to download a Cerberus banker in the form of an APK. 

The Cerberus banking Trojan monitors users’ activity and display fake login pages while the victim is visiting certain banking applications.

The Trojan is able to steal the user’s login credentials and bypass two-factor authentication in place.

The C&C server was delivering the banker for a short period of time, then it disappeared and researchers noticed that the currency converter app on Google Play no longer contained the malicious code. This tactic was adopted to avoid detection.

“However, as of yesterday evening, the command and control server had disappeared and the currency converter app on Google Play no longer contained the Trojan malware. Although this was just a short period, it’s a tactic fraudsters frequently use to hide from protection and detection i.e. limiting the time window where the malicious activity can be discovered.” concludes the report.

AVAST recommends making sure they use a verified banking app, to use two-factor authentication, download applications only from trusted app stores only, check the ratings of new applications, and verify the permissions required by any application. Experts also suggest using a mobile security solution should help staying protected.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Cerberus banking Trojan)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment