#1271713: New Cerberus Android Banker Uses Pedometer to Avoid Analysis

Description: A new banking trojan for Android devices relies on the accelerometer sensor to delay its running on the system and thus evade analysis from security researchers.

Cerberus malware has recently stepped into the malware-as-a-service business filling the void left by the demise of previous Android bankers.

The malware author(s) claim that it was used privately for the past two years and that they created Cerberus from scratch over several years.

Security researchers from Amsterdam-based cybersecurity company ThreatFabric analyzed a sample of the malware and found that it did not borrow from Anubis, an Android banker whose source code got leaked, sparking the creation of clones.

When you move, Cerberus moves
Payload and string obfuscation are normal techniques for making analysis and detection more difficult, but Cerberus also uses a mechanism that determines if the infected system is moving or not.

The trojan achieves this by reading data from the accelerometer sensor present on Android devices to measure the acceleration force on all three physical axes, X, Y, and Z, also considering the force of gravity.

By implementing a simple pedometer, Cerberus can track if the victim is moving using the code below. A real person will move around, generating motion data and increasing the step counter.

...
this.sensorService.registerListener(this, this.accelerometer, 3);
Sensor localSensor = sensorEvent.sensor;
this.sensorService.registerListener(this, localSensor, 3);
if(localSensor.getType() == 1) {
float[] values = sensorEvent.values;
float Gx = values[0];
float Gy = values[1];
float Gz = values[2];
long timestamp = System.curTimeMillis();
if(timestamp - this.previousTimestamp > 100L) {
long interval = timestamp - this.previousTimestamp;
this.previousTimestamp = timestamp;
if(Math.abs(Gx + Gy + Gz - this.curGx - this.curGy - this.curGz)
/ (((float)interval)) * 10000f > 600f) {
this.increaseStepCount();
}

this.curGx = Gx;
this.curGy = Gy;
this.curGz = Gz;
}
}
...
if(Integer.parseInt(
this.utils.readConfigString(arg7, this.constants.step))
The malware becomes active and starts communicating with the command and control server when a specific number of steps is reached.

This safety check is implemented specifically to avoid running on test devices or in sandbox environments used for malware analysis.

Standard banking trojan features
From the samples found in the wild, Cerberus poses as a Flash Player application. When it executes on a system, the malware hides its icon and demands increased privileges through the Accessibility Service.

Then it starts granting itself additional permissions that allow it to send messages and make calls without user interaction. According to the researchers, the malware also disabled Google Play Protect to prevent discovery and disinfection.

The set of features available in this trojan are standard and does not show any signs of innovative or special functions like a back-connect proxy, remote control, or screen streaming, which are present in more advanced Android bankers.

Using the functions below, Cerberus manages to keep a low profile for its operations:

Overlaying: Dynamic (Local injects obtained from C2)
Keylogging
SMS harvesting: SMS listing
SMS harvesting: SMS forwarding
Device info collection
Contact list collection
Application listing
Location collection
Overlaying: Targets list update
SMS: Sending
Calls: USSD request making
Calls: Call forwarding
Remote actions: App installing
Remote actions: App starting
Remote actions: App removal
Remote actions: Showing arbitrary web pages
Remote actions: Screen-locking
Notifications: Push notifications
C2 Resilience: Auxiliary C2 list
Self-protection: Hiding the App icon
Self-protection: Preventing removal
Self-protection: Emulation-detection
Architecture: Modular
Mixed set of targets
ThreatFabric found several samples of phishing overlays used by Cerberus to steal credentials and credit card data.

For the moment, the researchers found in the while only one target list with 30 unique entries. Among the targets are banking apps from France (7), the U.S. (7), Japan (1). Another 15 of them are non-banking apps.

"This uncommon target list might either be the result of specific customer demand, or due to some actors having partially reused an existing target list." - ThreatFabric

With the help of overlays, the malware tricks the victim into giving sensitive information that ranges from credentials to online services to payment card and banking info.

Determining when the phishing overlay should be used and which one to load is possible through its increased privileges, which allow it to obtain the package name for the foreground app.

Advertising the service
The operators of the malware advertise their service in the open, without fearing consequences from exposing indicators of compromise and other details.

A Twitter account is used to promote the tool to potential buyers and shows image captures with low or zero detection rates from multiple scanning services. A thread directed at security researchers offers a few details about the malicious APK used with Cerberus and boasts that it is an original creation that spent several years in development.

YouTube is another advertising channel. A video presentation on Google's platform goes through the command and control capabilities and demonstrates interaction with an infected system from entry to remote removal procedure.

Bot management is done through a console that makes it easy for the administrator to push various commands to the compromised system.

For hashes of the payload samples detected in the wild and the full list of targets, check ThreatFabric's report.
More info: https://www.bleepingcomputer.com/news/security/new-cerberus-android-banker-uses-pedometer-to-avoid-analysis/

Date added Aug. 14, 2019, 11:18 a.m.
Source Bleeping Computer
Subjects
  • Android Malware - New Reports in
  • Banking Malware - New Reports in
  • Cerberus Android Banking Malware - For Rent -