New Malware-as-a-Service Called “Alien” Is the Reason Behind “Cerberus” Demise

• A new malware as a service called “Alien” is the reason why Cerberus is no more.
• Alien is a powerful credentials stealer which already supports 226 Android applications.
• The malware also has a RAT mode using TeamViewer, which is where its developers could focus next.

As we all witnessed the fall of the “Cerberus” Android trojan lately, many scenarios trying to explain the reasons behind it saw light. Others supposed that the authors wanted to focus on more lucrative projects, some claimed internal conflicts, and many assumed that a new platform had emerged underground stealing the community’s interest.

As it is confirmed by ‘Threat Fabric’ researchers now, the case is the latter. A new malware-as-a-service (MaaS) called “Alien” has emerged, and it is based on the source code of Cerberus.

This means that the reason for auctioning the Cerberus source code was that it had been leaked anyway, as the first signs of Alien’s existence come from January 2020. The auction failed, and the Cerberus source was eventually shared for free.

The only difference that this makes for Alien is that it can use a more recent version of the trojan to create a new fork. As the researchers point out, though, even the current version of Alien is very potent - otherwise, it wouldn’t draw people from other trojan projects.

The complete list of Alien’s features right now include the following actions:

• Overlaying: Dynamic (Local injects obtained from C2)
• Keylogging
• Remote access
• SMS harvesting: SMS listing
• SMS harvesting: SMS forwarding
• Device info collection
• Contact list collection
• Application listing
• Location collection
• Overlaying: Targets list update
• SMS: Sending
• Calls: USSD request making
• Calls: Call forwarding
• Remote actions: App installing
• Remote actions: App starting
• Remote actions: App removal
• Remote actions: Showing arbitrary web pages
• Remote actions: Screen-locking
• Notifications: Push notifications
• C2 Resilience: Auxiliary C2 list
• Self-protection: Hiding the App icon
• Self-protection: Preventing removal
• Self-protection: Emulation-detection

Moreover, Alien can work as a RAT (remote access tool) and be implemented separately from the command handler. That would enable it to use different C2 endpoints, launch the TeamViewer app on the target system, download additional modules or payloads, and get a list of the installed applications on the infected device.

As for the targets of Alien thus far, Spain, Turkey, Germany, the United States, Italy, and France take the lion’s share. Alien has been plaguing users in these countries, stealing their credentials from over 226 applications, and the list of supported apps is growing day by day.

With the Cerberus source code now available for everyone, we expect to see a surge of forks like Alien, but of course, it’s clear who has the head-start.