Cerberus Hounding Google Play

The Cerberus banking trojan has been spotted disguised as a legitimate currency app on Google Play.

What’s going on?

Posing as a currency converter app, this trojan targets Spanish users and has been downloaded more than 10,000 times. According to research by Avast, the trojan hid its malicious intentions for a few weeks while being available on the Google Play Store.

Malware functions

  • After being downloaded thousands of times, the legitimate app had transformed into a dropper to deliver malicious payloads but the C2 server had not issued any commands yet.
  • In the last two days, the command to download the malicious banking trojan APK was issued. 
  • This resulted in the activation of the trojan, stealing the access data of users.

Recent banking trojan activities

  • In May, the Ursnif banking trojan was found to target Windows PC and steal vital information.
  • Grandoreiro - another banking trojan - was unveiled to be taking advantage of the COVID-19 crisis to target users in Mexico, Spain, Peru, and Brazil.
  • EventBot - a mobile banking trojan - was suspected to masquerade as a legitimate app, such as Adobe Flash and Microsoft Word, to infiltrate smartphones.

How to stay safe?

  • Always confirm that the app you are using is a verified banking app and implement two-factor authentication (2FA).
  • Be attentive toward requested app permissions.
  • Do not provide device administration permission to any app unless in exceptional cases for known fucntionality of such apps.

The bottom line

The bottom line is that although the trojan was on Google Play for a short period of time. It is a frequent tactic employed by malicious actors to avoid detection in its early stages.