Cerberus Was Found Lurking on the Google Play Store

  • The Cerberus app wore the sheepskin of a Spanish currency converter app and entered the Play Store.
  • The app followed the tactic of introducing inactivity periods, tricking users and researchers alike.
  • Cerberus is overlaying fake login pages to steal banking credentials from a wide range of banks.

In what seemed to be a matter of time, Cerberus has been spotted on the Google Play Store, as Avast researchers have found it hiding inside a currency converter app. The app is named ‘Calculadora de Moneda,’ and it is obviously targeting the Spanish audience. To be more precise, Cerberus has disguised itself as a currency converter, so this is not a case of compromising a legitimate app, with or without its authors’ knowledge. The app was approved for inclusion in the Play Store, and it amassed 10,000 users until today.

The fact that the app behaves normally for the first few weeks has certainly played a key role in helping it hide its real intentions, and this is maybe why Google’s Play Protect team missed it in their reviews. This trick also lifts any risks of turning the user’s attention to the culprit app, as the user fails to make a connection with something that was installed weeks ago. So, at some point, ‘Calculadora de Moneda’ fetches Cerberus from the C2 server, downloading it on the device via a background process that is hidden from the user.

Cerberus will then lay its own fake login pages on top of the actual banking apps when these are launched by the user, stealing the entered credentials. As we reported back in August last year, Cerberus supports financial institutes from the United States, France, Japan, Span, and more. It can also grab Google Account credentials or steal 2FA tokens and OTP codes from the Google Authenticator app. This makes Cerberus a very serious menace for Android users who are accessing banking services right from their mobile device, even those who are using two-factor authentication steps.

Avast noticed that the malicious actors performed the typical “activity pause” trick, which involves removing the payload-fetching functionality and also the C2 hard-coding from the app for extended periods. This is done to mitigate the risk of being detected, keeping things active only for a short period. Still, Avast has been following them for a while, and the app has already been reported to Google. You should also note that malicious versions of the app were spotted and sampled from other app stores or websites too, which is another reminder of why you shouldn’t trust downloading apps from unofficial sources.

REVIEW OVERVIEW

Latest

Researchers Find Multiple Vulnerabilities in WP Fastest Cache Plugin

WP Fastest Cache Plugin has two vulnerabilities recently patched.Authors released version 0.9.5 to fix the vulnerabilities.If still unpatched, hackers can have admin...

Missouri to Prosecute ‘Hacker’ Who Informed State About Data Leak

Missouri Governor threatened to take up legal action against a reporter who found a cybersecurity blunder.The journalist discovered educators' social security numbers...

Man Scams Amazon Textbook Rental Service for $1.5 Million

An US citizen was arrested after borrowing expensive Amazon books and then selling them.The man used gift cards, multiple customer accounts, and...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari