Cerberus banking Trojan infiltrates Google Play

The malware was found buried within a seemingly-innocent currency converter.

Banking trojan returns rearmed by lockdown thieves

Security researchers have discovered the Cerberus banking Trojan disguised as a legitimate currency app on Google Play. 

On Tuesday, the cybersecurity team at Avast said the malicious app in question posed as a legitimate currency converter app designed for Spanish users. 

In total, the software, "Calculadora de Moneda," -- translated as Currency Calculator -- has been downloaded over 10,000 times. 

Our mobile devices, including smartphones and tablets, are now often key products that are used not only for communication with friends and family, but also for entertainment, work, and as gateways to our financial accounts. 

As a result, mobile malware has become a common threat today. To try and keep malicious apps off our devices, vendors including Google and Apple have established strict security measures for software hosted in their official, trusted app repositories. 

On occasion, however, threats still manage to slip the net. 

See also: Android malware can steal Google Authenticator 2FA codes

The malicious app bypassed Google's security barriers by posing and acting as a legitimate app for the first few weeks after being accepted into Google Play. It appears that as users began to download the app in March, the software, at first, did not cause any harm and actually acted as a legitimate -- and useful -- utility. 

However, after instilling trust in the growing user base, the app then triggered dormant code that became a dropper for the Cerberus Trojan. 

Code that connected Calculadora de Moneda to a command-and-control (C2) server activated several weeks later, commanding the app to download an additional Android Application Package (APK) to devices. 

Once executed, the APK dropped Cerberus, a relatively new Trojan that has been in circulation since June 2019.

CNET: Facebook shared user data with developers after access should have expired

The malware creates an overlay across existing banking and financial apps. Cerberus will lurk in the background, waiting for a user to input their account credentials, of which this information is then stolen and sent to the attacker's C2. 

Avast noted that the malware is sophisticated enough to read your text messages -- often used to deliver one-time passcodes (OTP) -- as well as grab two-factor authentication (2FA) details. These security measures are intended to further protect our online banking sessions, but Cerberus can circumvent these controls. 

As reported by ZDNet in February, ThreatFabric researchers examining strains of Cerberus said that these capabilities can be used to steal OTPs generated via Google Authenticator, designed as an alternative to SMS-based 2FA passcodes. 

TechRepublic: 9 tech products companies can buy for reopening offices during the pandemic

On Monday, Avast researchers noted that as of the evening, the C2 server vanished and Cerberus disappeared from the currency conversion app. This does not mean, however, that the app should not still be considered malicious -- and a threat. 

"Although this was just a short period, it's a tactic fraudsters frequently use to hide from protection and detection i.e. limiting the time window where the malicious activity can be discovered," Avast says. 

Google has been told of the researcher's findings. 

ZDNet has reached out to Google and will update when we hear back. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0