Researchers have discovered 15 samples posing as Chrome and other Google Play Store apps that deploy the malicious Android banking trojan Cerberus instead. This is part of a larger, ongoing campaign dubbed ErrorFather, which seems to have picked up pace in September and October 2024.
The samples, discovered between mid-September and the time of writing, use a multi-stage dropper to deploy their malicious payload. This method effectively bypasses the security checks Google’s app store runs on every app developer’s upload to the platform.
As for the Cerberus trojan, it first appeared on underground forums in 2019. It’s designed to appear legitimate but can steal anything from banking app credentials, credit card details, and other personal or sensitive information. It does so by exploiting the accessibility features that Android comes with, such as overlays, to perform overlay attacks and include keylogging features, making it one of the most sought-after banking trojans.
However, Cerberus’ source code was leaked in 2020, and since then, multiple variants using the same codebase have popped up in hacker markets. These include Alien, launched in 2020 during the Cerberus source code leak, and ERMAC in 2021, which could target more than 450 financial and social media apps. Another variant called Phoenix came out in early 2024. However, it reportedly used the exact source code as Cerberus, while Alien and ERMAC had made some modifications to enhance functionality.
ErrorFather is another example of Cerberus being repurposed years after its source code leaked online. The source code has been altered, but Cyble researchers state that the change isn’t significant enough to “classify it as entirely new malware.”
Researchers discovered malicious samples with active Command and Control (C2) servers, suggesting the campaign is still ongoing. The trojan can also receive commands over Telegram using a bot dubbed “ErrorFather.”
The malware used in the campaign bypasses Play Store restrictions by installing itself as a harmless app that later gains sensitive permissions before installing the malicious payload. The primary APK file is a session-based dropper that contains a second-stage APK.
The first stage involves a session-based installation technique to install the APK from within the app’s assets, bypassing security restrictions. The second stage APK file, named “final-signed.APK”, contains a manifest file that requests sensitive permissions and services before finally decrypting and installing the malware.
Researchers suggest mitigations such as only installing apps from the Google Play Store, using strong passwords and multi-factor authentication, enabling biometric security features, and ensuring Google Play Protect is enabled on Android devices.
In the News: EDRSilencer red team tool disables endpoint detection solutions
