Cerberus Was Found Lurking on the Google Play Store
- The Cerberus app wore the sheepskin of a Spanish currency converter app and entered the Play Store.
- The app followed the tactic of introducing inactivity periods, tricking users and researchers alike.
- Cerberus is overlaying fake login pages to steal banking credentials from a wide range of banks.
In what seemed to be a matter of time, Cerberus has been spotted on the Google Play Store, as Avast researchers have found it hiding inside a currency converter app. The app is named ‘Calculadora de Moneda,’ and it is obviously targeting the Spanish audience. To be more precise, Cerberus has disguised itself as a currency converter, so this is not a case of compromising a legitimate app, with or without its authors’ knowledge. The app was approved for inclusion in the Play Store, and it amassed 10,000 users until today.
The fact that the app behaves normally for the first few weeks has certainly played a key role in helping it hide its real intentions, and this is maybe why Google’s Play Protect team missed it in their reviews. This trick also lifts any risks of turning the user’s attention to the culprit app, as the user fails to make a connection with something that was installed weeks ago. So, at some point, ‘Calculadora de Moneda’ fetches Cerberus from the C2 server, downloading it on the device via a background process that is hidden from the user.
Cerberus will then lay its own fake login pages on top of the actual banking apps when these are launched by the user, stealing the entered credentials. As we reported back in August last year, Cerberus supports financial institutes from the United States, France, Japan, Span, and more. It can also grab Google Account credentials or steal 2FA tokens and OTP codes from the Google Authenticator app. This makes Cerberus a very serious menace for Android users who are accessing banking services right from their mobile device, even those who are using two-factor authentication steps.
Avast noticed that the malicious actors performed the typical “activity pause” trick, which involves removing the payload-fetching functionality and also the C2 hard-coding from the app for extended periods. This is done to mitigate the risk of being detected, keeping things active only for a short period. Still, Avast has been following them for a while, and the app has already been reported to Google. You should also note that malicious versions of the app were spotted and sampled from other app stores or websites too, which is another reminder of why you shouldn’t trust downloading apps from unofficial sources.