Cerberus Unchained: A Multi-Stage Trojan Banking Campaign

CerberusTrojanBankingTrojanAndroidMalwarePhishingAttacksAndroidSecurityErrorFather

The Cerberus Android banking trojan is a type of malware designed to steal sensitive information, such as banking credentials and credit card information, by disguising itself as legitimate apps. It uses techniques such as overlay attacks, where it tricks users into entering data into fake screens that appear over trusted apps. Since its discovery in 2019, Cerberus has evolved to gain advanced capabilities such as advanced keylogging and remote control, and is distributed through Google Play Store apps, making it a persistent threat to Android users.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Tactic	Technique ID	Remediation
Initial Access	Phishing (T1660)	Implement email filtering with advanced threat detection, conduct regular phishing awareness training, and enforce MFA.
Execution	Native API (T1575)	Employ application whitelisting to prevent unauthorized use of APIs, and monitor API calls for abnormal behavior.
Defense Evasion	Masquerading: Match Legitimate Name or Location (T1655.001)	Use application verification tools and enforce strong app store policies. Monitor for unusual app behaviors.
Defense Evasion	Application Discovery (T1418)	Implement endpoint detection and response (EDR) solutions to block suspicious app discovery activities.
Defense Evasion	Indicator Removal on Host: Uninstall Malicious Application (T1630.001)	Use mobile device management (MDM) solutions to detect and block unauthorized app uninstalls.
Defense Evasion	Input Injection (T1516)	Monitor input injection behaviors, use app sandboxing to restrict permissions, and update security patches regularly.
Collection	Input Capture: Keylogging (T1417.001)	Use anti-keylogging software, implement strict app permissions, and audit access to sensitive data.
Discovery	Software Discovery (T1418)	Deploy endpoint protection to detect and block unauthorized software discovery attempts.
Discovery	System Information Discovery (T1426)	Limit app access to system information, enforce app permission policies, and monitor requests for device info.
Collection	Screen Capture (T1513)	Restrict apps’ screen capture permissions, use EDR to monitor screen capture attempts, and limit third-party screen tools.
Collection	Audio Capture (T1429)	Enforce microphone access restrictions, use MDM to block unauthorized audio capture, and audit permissions regularly.
Collection	Call Control (T1616)	Limit app access to call-making features and monitor for unauthorized call activities through MDM.
Collection	Protected User Data: Contact List (T1636.003)	Encrypt contact data, apply least privilege access for apps, and monitor apps requesting contact access.
Command and Control	Dynamic Resolution: Domain Generation Algorithms (T1637.001)	Use DNS filtering to detect and block suspicious domain generation, and analyze network traffic for anomalies.
Command and Control	Encrypted Channel: Symmetric Cryptography (T1521.001)	Monitor encrypted traffic with deep packet inspection (DPI) and use IDS to detect anomalous encrypted communications.
Exfiltration	Exfiltration Over C2 Channel (T1646)	Deploy data loss prevention (DLP) solutions to monitor and block suspicious data exfiltration attempts.

Observed Countries250

AD (55)

AE (506)

AF (401)

AG (92)

AI (287)

AL (372)

AM (482)

AO (343)

AQ (586)

AR (516)

AS (100)

AT (24)

AU (349)

AW (90)

AX (351)

AZ (983)

BA (745)

BB (311)

BD (848)

BE (232)

BF (991)

BG (566)

BH (503)

BI (136)

BJ (151)

BL (369)

BM (918)

BN (753)

BO (174)

BQ (33)

BR (70)

BS (864)

BT (78)

BV (275)

BW (373)

BY (835)

BZ (28)

CA (828)

CC (593)

CD (762)

CF (915)

CG (207)

CH (863)

CI (180)

CK (683)

CL (695)

CM (618)

CN (715)

CO (162)

CR (90)

CU (971)

CV (55)

CW (490)

CX (261)

CY (934)

CZ (342)

DE (263)

DJ (90)

DK (892)

DM (254)

DO (326)

DZ (536)

EC (215)

EE (73)

EG (83)

EH (680)

ER (970)

ES (532)

ET (438)

FI (669)

FJ (410)

FK (55)

FM (126)

FO (871)

FR (123)

GA (695)

GB (621)

GD (118)

GE (555)

GF (898)

GG (808)

GH (979)

GI (257)

GL (824)

GM (51)

GN (709)

GP (1)

GQ (347)

GR (745)

GS (21)

GT (591)

GU (534)

GW (688)

GY (960)

HK (659)

HM (492)

HN (270)

HR (110)

HT (997)

HU (409)

ID (523)

IE (338)

IL (125)

IM (725)

IN (117)

IO (512)

IQ (82)

IR (843)

IS (954)

IT (742)

JE (283)

JM (767)

JO (604)

JP (195)

KE (227)

KG (3)

KH (270)

KI (869)

KM (198)

KN (505)

KP (230)

KR (311)

KW (908)

KY (469)

KZ (252)

LA (73)

LB (876)

LC (934)

LI (862)

LK (294)

LR (119)

LS (815)

LT (644)

LU (17)

LV (179)

LY (225)

MA (54)

MC (266)

MD (232)

ME (720)

MF (189)

MG (730)

MH (608)

MK (981)

ML (281)

MM (961)

MN (230)

MO (394)

MP (697)

MQ (95)

MR (63)

MS (739)

MT (55)

MU (739)

MV (718)

MW (207)

MX (504)

MY (695)

MZ (400)

NA (130)

NC (78)

NE (382)

NF (549)

NG (603)

NI (920)

NL (30)

NO (459)

NP (773)

NR (599)

NU (194)

NZ (485)

OM (101)

PA (360)

PE (484)

PF (923)

PG (651)

PH (828)

PK (681)

PL (897)

PM (438)

PN (915)

PR (462)

PS (222)

PT (91)

PW (148)

PY (697)

QA (157)

RE (352)

RO (350)

RS (194)

RU (760)

RW (308)

SA (1)

SB (568)

SC (246)

SD (783)

SE (469)

SG (356)

SH (590)

SI (653)

SJ (561)

SK (293)

SL (990)

SM (330)

SN (48)

SO (626)

SR (658)

SS (108)

ST (255)

SV (796)

SX (839)

SY (667)

SZ (833)

TC (94)

TD (935)

TF (912)

TG (35)

TH (20)

TJ (232)

TK (161)

TL (31)

TM (98)

TN (84)

TO (26)

TR (742)

TT (440)

TV (21)

TW (59)

TZ (505)

UA (816)

UG (802)

UM (706)

US (840)

UY (537)

UZ (335)

VA (479)

VC (327)

VE (385)

VG (193)

VI (313)

VN (934)

VU (89)

WF (387)

WS (458)

XK (50)

YE (334)

YT (412)

ZA (996)

ZM (460)

ZW (287)