Cerberus is a banking trojan for Android that was first identified on underground forums in August 2019 and has been in use for private operations since then.

What happened?

Recently, the attackers behind this malware released the source code for free on underground forums after a failed auction. It has been looking for a new owner for some time.
  • The source code was put for auction (in a failed attempt) and later the code was released for free due to the breakup of the malware development team.
  • In July, the Cerberus banking trojan’s source code was offered for sale at a price tag of $50,000. The offer included everything from an installation guide to the customer list and more.

Modus operandi

  • The banking trojan can be often seen disguised as a genuine app to access the banking details of unsuspecting users.
  • For a few weeks, the app works as it claims, but soon after it begins its malicious activities on users’ devices.
  • In one case, it was distributed to the employees of a company, via the company’s MDM server.

Previous attacks

  • In early-July, the banking trojan posed as a Spanish currency converter application on Google Play Store and hid its malicious intentions for a few weeks. The app gained the trust of customers to steal banking data.
  • In April, a new variant of this banking trojan targeted a multinational conglomerate and was spread by exploiting their Mobile Device Manager (MDM) server.
  • In late-March, cybercriminals crafted a coronavirus-themed scam and laced a mobile application with Cerberus banking trojan to target Spanish users.


The banking trojan is known to spread via Google Play Store and third-party download sites. Therefore, experts recommend avoiding third-party sources for download and regularly monitoring application behavior. In addition to this, installing an antivirus application can protect users from such threats.

Cyware Publisher