“Cerberus” Android Banking Trojan Can Now Steal Google Authenticator’s 2FA Tokens
Last updated June 23, 2021
Last time we talked about the “Cerberus” Android banking trojan, it was in July, when the author of the popular malware was auctioning the project and its source code. The starting price was set at $50,000, and the immediate selling price was set to double the amount, $100k. As it appears though, the source code of Cerberus was leaked on dark web forums, as the author failed to complete the auction process under the defined terms.
The source code includes the malicious APK, the admin panel, and the C2 code, while the leak also includes an installation guide and a collection of setup and licensing scripts. Already, white-hat researchers and malware analysts are looking under the hood trying to figure out all aspects of the functionality of “Cerberus”, a particularly potent malware.
Just before the decision to auction it, Cerberus was being rented to malicious actors for $12,000 per year, or $4,000 per quarter. Reportedly, the project operators were making about $10,000 per month, so seeing the project passing hands was a weird but not inexplicable decision. There are many reasons why someone wants to get rid of a malware project, including intent to focus on other things, fear, internal conflicts, and the inability to handle 24/7 customer service burdens.
Now that the auction failed and the source code of Cerberus leaked out there, there are several things that change in the scene. Most importantly, a large number of malicious actors are going to grab it, create their own spin, and deploy it on APKs that pretend to be games, utilities, etc. That said, we expect the infections involving the particular trojan family to increase exponentially over the next couple of months.
On the other side, detecting these infections and stopping them in time will be easier now that the source code is being analyzed by AV solution vendors and researchers. It’s a cat and mouse game, as always, and the leak of the Cerberus source code is changing the dynamics on both sides. Still, whatever security companies do, the responsibility for staying safe is in the hands of Android users.
If you want to minimize the risks of getting infected by Cerberus, avoid downloading APKs from obscure sources, do not blindly trust anything you see on the Google Play Store, and only install applications that you absolutely need. Besides all that, getting a mobile AV tool from a reputable vendor is always a good idea.