Cerberus, the latest Android banking trojan to hit the headlines, has infiltrated Google Play, security researchers have discovered. On Tuesday, July 7, the Mobile Threat Labs team at Avast posted on a blog post that they discovered the malware on Google Play posing as a legit currency converter app.
According to them, the app, called Calculadora de Moneda, bypassed Google's security barriers by hiding its malicious intentions for the first few weeks after being accepted into Google Play.
“This was possibly to stealthily acquire users before starting any malicious activities, which could have grabbed the attention of malware researchers or Google’s Play Protect team. As a result, the app has been downloaded more than 10,000 times so far. We reported it to Google, so they can quickly remove it,” the report explained.
First uncovered in June 2019 by analysts at Threat Fabric, Cerberus is a type of Android malware that enables attackers to remotely access an infected Android device, permitting them to gain SMS control, make calls, take screenshots, access contact list, and more. It is most famous for its unique security evasion tactics, which makes use of the targeted device’s accelerometer sensor.
“Using the device accelerometer sensor it implements a simple pedometer that is used to measure movements of the victim. The idea is simple - if the infected device belongs to a real person, sooner or later this person will move around, increasing the step counter,” explained Threat Fabric in 2019. “The Trojan uses this counter to activate the bot - if the aforementioned step counter hits the pre-configured threshold it considers running on the device to be safe. This simple measure prevents the Trojan from running and being analyzed in dynamic analysis environments (sandboxes) and on the test devices of malware analysts.”
According to researchers at Avast, the currency converter app did not cause any harm and acted as a legitimate app at first to gain the trust of victims. However, the team noticed that a code connected the app to a command-and-control (C2) server activated only recently, commanding the app to download an additional malicious Android Application Package (APK).
As of Monday, July 6, Threat Labs team said the C2 server had disappeared and the Trojan malware is already absent on the currency converter app on Google Play.
“Although this was just a short period, it’s a tactic fraudster frequently use to hide from protection and detection i.e. limiting the time window where the malicious activity can be discovered,” they warned.
