Overview
Cerberus is an Android banking trojan first reported on by ThreatFabric in June 2019 that may have been active since at least 2017. The malware is for sale on a Russian hacking forum called xss[.]is where the actors behind its development are selling licenses for the service from $4000 - $12000. This new malware-as-a-service may have filled the void for actors who require Android malware rental services like Anubis and Red Alert which have ceased to exist. ThreatFabric analysts point out that the malware activates when victims move around, triggering the accelerometer inside the device. Cerberus lies dormant until the pedometer (measuring step count) reaches a certain amount of steps. It also alters the lure depending on the Android package name, capturing banking details or mail credentials. Cerberus does not share code with Anubis or other Android banking trojans and appears to have been newly written[1].
Anomali Threat Research (ATR) in joint partnership with the Information Security function within a major European Financial Institution, have undertaken analysis on Cerberus in an effort to complement the existing findings which have been presented by others in the community, and to further help defenders in understanding the threat and capability of this Android banking trojan.
Malware-as-a-Service
Cerberus is being sold in the Russian hacking forum XSS[.]is. The forum was created in 2018 and is the new version of DaMaGeLab[.]org[2]; a previously well known hacking forum run by the founders of Exploit[.]in[3]. A member of the hacking forum XSS[.]is going by the name of Android, has a Premium account and is shown in Figure 1 advertising access to the Cerberus Android bot. The Cerberus malware is named after the Greek, three headed, mythological creature which guards the entrance of the underworld ..
Support the originator by clicking the read the rest link below.
