The Cerberus Banking Trojan Is Up For Sale

The Cerberus banking trojan emerged as malware-as-a-service in the threat landscape in August 2019. Recently, the group behind the notorious Android trojan has been auctioning its project.


A hefty deal

For around a year, the Cerberus maintainers advertised their business and rented the malicious bot for up to $12,000 per year or on a license for shorter periods ($4,000/3 months, $7,000/6 months).
  • The Cerberus operators have been spotted offering their full project, including the trojan's malicious APK source code, module code, the code for admin panels, and the servers, for a price starting at $50,000. By paying $100,000, any buyer could purchase it without having to participate in the auction.
  • The deal further adds Cerberus' customer base with active licensing and the required installation materials.
  • The operators have been looking for potential buyers by boasting about the capabilities available in Cerberus, like taking screenshots, spoofing notifications from the banking services, and stealing account credentials, two-factor authentication (2FA) codes, and others.


An active malware

First reported in June 2019 and active since at least 2017, with time, Cerberus has added several interesting novelties with new versions and new targets.
  • In the first week of July, Cerberus was spotted disguised as a legitimate currency app, named ‘Calculadora de Moneda’ on Google Play.
  • In April, a Cerberus variant, equipped with Mobile Remote Access Trojan (MRAT) capabilities, had infected over 75% of Vodafone's devices using the company’s Mobile Device Manager (MDM) server.

In a similar attempt, the profitable advanced Dharma ransomware was also put up for sale back in March. Dharma was available for a price as low as $2,000 on two Russian-language hacking forums.


Watch out

After the recent enhancement, Cerberus malware gained capabilities to use the Accessibility Services. This enables it to steal Google authenticator credentials, Gmail passwords and phone unlocking patterns, and thus bypass all user interactions. If such a ferocious and capable malware reaches wrong capable hands, it may cause serious damage to users.