Cerberus Was Found Lurking on the Google Play Store

  • The Cerberus app wore the sheepskin of a Spanish currency converter app and entered the Play Store.
  • The app followed the tactic of introducing inactivity periods, tricking users and researchers alike.
  • Cerberus is overlaying fake login pages to steal banking credentials from a wide range of banks.

In what seemed to be a matter of time, Cerberus has been spotted on the Google Play Store, as Avast researchers have found it hiding inside a currency converter app. The app is named ‘Calculadora de Moneda,’ and it is obviously targeting the Spanish audience. To be more precise, Cerberus has disguised itself as a currency converter, so this is not a case of compromising a legitimate app, with or without its authors’ knowledge. The app was approved for inclusion in the Play Store, and it amassed 10,000 users until today.

The fact that the app behaves normally for the first few weeks has certainly played a key role in helping it hide its real intentions, and this is maybe why Google’s Play Protect team missed it in their reviews. This trick also lifts any risks of turning the user’s attention to the culprit app, as the user fails to make a connection with something that was installed weeks ago. So, at some point, ‘Calculadora de Moneda’ fetches Cerberus from the C2 server, downloading it on the device via a background process that is hidden from the user.

Cerberus will then lay its own fake login pages on top of the actual banking apps when these are launched by the user, stealing the entered credentials. As we reported back in August last year, Cerberus supports financial institutes from the United States, France, Japan, Span, and more. It can also grab Google Account credentials or steal 2FA tokens and OTP codes from the Google Authenticator app. This makes Cerberus a very serious menace for Android users who are accessing banking services right from their mobile device, even those who are using two-factor authentication steps.

Avast noticed that the malicious actors performed the typical “activity pause” trick, which involves removing the payload-fetching functionality and also the C2 hard-coding from the app for extended periods. This is done to mitigate the risk of being detected, keeping things active only for a short period. Still, Avast has been following them for a while, and the app has already been reported to Google. You should also note that malicious versions of the app were spotted and sampled from other app stores or websites too, which is another reminder of why you shouldn’t trust downloading apps from unofficial sources.



Proton VPN Gets a Design Refresh & Better Integration With Other Proton Services

Proton VPN gets a new logo, color palette, and subtle changes to its UI.There’s a simpler pricing structure, letting you bundle Proton-branded...

How to Watch That Damn Michael Che Season 2 Online From Anywhere

Did you miss a theme or incident, such as police brutality, unemployment, and romance, and use sketches and vignettes to illustrate what...

How to Watch Look At Me: XXXTENTACION Online From Anywhere – Stream the Jahseh Onfroy Documentary

Look At Me: XXXTENTACION is an upcoming documentary detailing the late artist's monumental come-up and tragic death. We have all the information...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari