Android users beware! This Banking Trojan tricks you into sharing login and credit card info
Back in 2020, we told you about the Cerberus Banking Trojan which could capture a user's PIN or swipe pattern, and more. Now, a retooled version of Cerberus is being used in a campaign spotted by Cyble Research and Intelligence Labs (CRIL) in September and October. Using session-based droppers, native libraries, and encrypted payloads, the Ceberus Banking Trojan is pretty difficult to find on an infected phone; even if you find it, the Trojan is hard to remove.
The Trojan's final payload will record keystrokes made by a device user in order to capture passwords. It also employs overlay attacks that trick users into thinking that they are communicating with a legit app only to interact with a malicious overlay. The attackers hope that the user types in login credentials or, even better, a credit card number, the card's expiration date, and security code. The Trojan also uses VNC (Virtual Network Computing), a remote screen-sharing technology that can use malicious software to capture screenshots and send them to a remote server.
Chart showing how an overlay attack works. | Image credit-IKARUS security software
Cyble Research says that the Cerberus Banking Trojan is a good example of how malware can be repurposed and can continue to be a dangerous threat years after it originally debuted. Cerberus was first spotted in 2019 and Cyble first thought that it had spotted a new malware variant but analysis revealed that the code being used was similar to code used in the past by Cerberus. The research firm says that attacks are ongoing.
The attackers are looking for users to make a mistake since the malware disguises itself as legitimate banking or authentication apps and uses Google Play and Chrome icons. When it first hit the scene in 2019, the Trojan was used to help commit financial fraud. The current version of the malware uses a multi-stage dropper that delivers its payload in steps and can bypass restricted settings. If the primary server is unavailable, it can choose to communicate with Command and Control (C&C) servers.
The malware can pretend to be the user of a device and click on options while also performing gestures to input data. The malware can even uninstall itself so that it can disappear from a phone it had infected once the attackers are done with it. Cyble researchers suggest that to avoid installing malware, users download only official apps from official sources. The research firm also recommends that you make sure Google Play Protect is enabled on your Android phone.
The security research firm also makes a big suggestion, one that you should always follow. Never click on suspicious links sent to your phone via text or email.
Things that are NOT allowed: