Cerberus banking Trojan team breaks up, source code goes to auction

The Android malware’s operator is hoping the code and client list will net them up to $100,000.
Written by Charlie Osborne, Contributing Writer

The source code of the Android-based Cerberus banking Trojan is being auctioned off due to the break-up of the development team. 

As reported by Bleeping Computer, the malware's maintainer recently posted an advert on an underground forum for Russian speakers offering the malware on a bidding basis, with the hopes of generating up to $100,000 from the sale. 

According to the post, spotted by Hudson Rock, the operator is attempting to sell off the full project at a starting price of $50,000, including the Trojan's .APK source code, module code, the code for administrator panels, and servers. In addition, threat actors looking to adopt the malware into their own toolkits are being offered Cerberus' customer base with active licensing and the required installation materials. 

See also: Cerberus banking Trojan infiltrates Google Play

The seller says that the project is being sold off due to a "lack of time" and because the "team has broken up" -- leading to what appears to be a single maintainer left to support customers. 

To try and lure potential bidders, the seller claims that the Android malware is generating $10,000 in profit per month. 

Cerberus has been in circulation since 2019 and was spotted earlier this month in the Google Play store, having bypassed Google's app protections. A seemingly-legitimate currency converter app designed for Spanish speakers -- downloaded over 10,000 times before its removal -- deployed the Trojan on Android devices by way of a malicious update performed months after the app passed security inspections. 

CNET: 4 signs your Android phone has hidden malware, and how to deal with it

Researchers from Avast say that in March, the app acted as a legitimate utility. However, after the user base had reached levels in the thousands, the trap was sprung and dormant code transformed into a Cerberus dropper. 

Once deployed on a device, the malware creates overlays across existing financial service and banking apps in order to steal account credentials that are then sent to the attacker's command-and-control (C2) server. The Trojan is also able to intercept 2FA mechanisms, such as one-time passcodes (OTP), to obtain the information necessary to pilfer financial accounts. 

TechRepublic: Companies turning to isolation technology to protect against the internet's biggest threats

ThreatFabric researchers said in February that test versions of the malware are able to abuse Android Accessibility privileges to steal OTPs from Google Authenticator, software designed to enhance the security of 2FA in comparison to one-time SMS messages. 

Cerberus has many of the standard capabilities of Remote Access Trojans (RATs), including data theft modules, keylogging, phone call recording, and SMS grabbing. The malware is also advertised as being able to lock mobile devices, uninstall apps, push notifications, and self-destruct.  

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards