Researchers from Avast discovered a malicious Android app “Cerberus” on the Google Play store spreading a banking Trojan. The Trojan was being spread via a Spanish currency converter app “Calculadora de Moneda” targeting Android users in Spain since March 2020, with 10,000 downloads already. The researchers stated that Cerberus Trojan, if downloaded, can steal banking credentials, bypass security measures, access text messages, and even alter two-factor authentication (2FA).
“As is common with banking malware, Cerberus disguised itself as a genuine app in order to access the banking details of unsuspecting users. What is not so common is that a banking Trojan managed to sneak onto the Google Play Store. To avoid initial detection, the app hid its malicious intentions for the first few weeks while being available on Google Play. During this time, the app acted normally as a legitimate converter, and it does not steal any data or cause any harm. This was possibly to stealthily acquire users before starting any malicious activities, which could have grabbed the attention of malware researchers or Google’s Play Protect team,” the researchers said in a statement.
The Cerberus Trojan app operates stealthily to gain the trust of users and steals their banking data later. The app executes itself in three different stages:
- In the first stage, the Calculadora de Moneda app appears normal and does not steal any data from users who have downloaded it.
- In the second stage, the normal looking app turns into a malicious dropper, which is intended to download another malicious app onto a device, without the user’s knowledge.
- In the final stage, the app activates the malicious Trojan to access the existing genuine banking app on the victim’s device and wait for the user to log in. The Trojan creates a layover on the login screen to capture the credentials.
Avast stated that the malicious app has been taken down after it reported the findings to Google.
Protection Against Banking Trojans
Avast recommended users certain mitigation measures to protect themselves from mobile banking Trojans, these include:
- Confirm that the app you are using is a verified banking app. If the interface looks unfamiliar or odd, double-check with the bank’s customer service team.
- Use two-factor authentication if your bank offers it as an option.
- Only rely on trusted app stores, such as Google Play or Apple’s App Store. Even though the malware slipped into Google Play, its payload was downloaded from an external source. If you deactivate the option to download apps from other sources, you will be safe from this type of banking Trojan activating on your phone.
- Before downloading a new app, check its user ratings. If other users are complaining about a bad user experience, it might be an app to avoid.
- Pay attention to the permissions an app requests. If you feel that the app is requesting more than it promises to deliver, treat this as a red flag.
- Often, malware will ask to become a device administrator to get control over your device. Don’t give this permission to an app unless you know this really is necessary for an app to work.
Not the First Time
In 2019, Kaspersky discovered the Ginp Banking Trojan, which lures Android users to steal their credit card credentials.
For more information, read, “Ginp Banking Trojan Lures Android Users Amidst COVID-19 Outbreak”