Cerberus is Dead, Long Live Cerberus?
November 5, 2020 | 15 minute read
Cerberus is Dead, Long Live Cerberus?
This blog provides an overview of the situation surrounding the release of the source code, and supplementary 'injection' files, for the Android banking trojan 'Cerberus'. In addition to the source code for two versions of the malicious application along with the control panel being freely available on various underground forums, over two hundred injection files, those being HTML pages that mimic the look of legitimate Android apps, have been distributed and could allow the theft of credentials and/or payment card data.
Given that the current threat from Cerberus was countered by Google Play Protect, Google's own Android antimalware solution, other threat actors may act on comments from Cerberus' creators to restore the threat, or simply use the source code to create, or further develop, their own Android threats.
Recent reports indicate that Cerberus is now targeting Android users in Russia as well as countries within the Commonwealth of Independent States (CIS), suggesting that some 'less-patriotic' threat groups have modified the source code and removed these previously defined 'safe countries'. Other than this activity, no other regions have been specifically identified at increased risk.
As time elapses and threat actors gain a better understanding of the released code, others may seek to utilize it, or the injection pages, in their own threats or campaigns. This is especially true given the availability of a Cerberus 'installation service', costing just USD 300, that could allow a lower-sophistication threat actor to gain access to a working Cerberus control panel with Android application package (APK) builder for a fraction of its former cost.
Believed to have been in development for some time and used privately for around two years prior to being first observed by cybersecurity researchers in June 2019, Cerberus is an Android banking trojan that was available via a malware-as-as-service (Maas) offering as advertised on underground forums (Figure 1).
Figure 1 - Cerberus advertisement banners (Bottom: Updated for Cerberus V2)
As is common for threats of this nature, Cerberus supports various capabilities out-of-the-box, such as the ability to interact with, and steal data from, a compromised device including contacts, SMS interception and call forwarding, as well as selling addons in the form of 'injections' that allow credentials and/or payment card data to be stolen from specific legitimate applications.
Reportedly earning the creators at least USD 10,000 a month during its peak, not withstanding any ill-gotten gains made from stolen data, the MaaS model used to rent access to Cerberus' infrastructure was, when not discounted (Figure 2), available in three packages (USD 4,000 for 3 months, USD 7,000 for 6 months and USD 12,000 for one year of access) in addition to injections reportedly selling for USD 4,000 each.
Figure 2 - Cerberus 'Winter Sale'
Having purchased a licence, nefarious users would gain access to the Cerberus control panel which allowed them to build an Android application package (Figure 3), in the form of an 'APK' file ready for distribution to victims, as well as providing them with the ability to manage their compromised devices and access any stolen data (Figure 4).
Figure 3 - Cerberus APK builder (added to the platform in July 2019)
Figure 4 - Cerberus Control Panel
Having configured and generated an APK payload file, threat actors would then need to deliver this to victims likely through the use of social engineering tactics and campaigns such as 'fake media player' messages shown to Android users visiting a compromised or malicious website (Figure 5) as well as fake mobile apps uploaded to various app stores and even the use of COVID-19 themes during the global pandemic.
Figure 5 - Cerberus distributed via fake Adobe Flash Player (Credit: ESET Research)
Reportedly one of the most successful Android banking trojans and MaaS threats of 2019 and into 2020, Cerberus' reign came to a somewhat abrupt end in August 2020 with the creator citing 'internal issues' that prevented ongoing development and undoubtedly contributed to the threat being detected and blocked by Google's built-in antimalware protection 'Google Play Protect'.
Whilst still in development as late as 21 July 2020, seemingly the period between 22 and 26 July 2020 saw Cerberus being detected by Google Play Protect and customers taking to the forum to complain about their 'bots dropping off'.
In response to these complaints, 'Android', Cerberus' creator or the group's spokesperson, suggested on 28 July 2020 that the threat was still operational, albeit requiring the use of a 'cryptor' to prevent detection (Figure 6).
Figure 6 - 'Android' responding in English, rather than Russian, to various complaints about Cerberus on 28 July 2020
Tools known as 'cryptors' are often used by malware authors and utilize various encryption routines to thwart the analysis of malicious binaries as well as obfuscating or modifying their code to evade detection signatures. In this instance, it appears that the solution to Cerberus' problems was not as simple as using a 'cryptor' and was promptly followed by the group ceasing development following 'internal issues'.
In addition to the threat group reportedly disbanding, with existing Ceberus infections being in-operational due to their detection, the malware-as-a-service (MaaS) offering, including all source code, installation guides, and setup scripts along with details of current and prospective customers, was reportedly offered for auction at the end of July 2020 with a starting price of USD 50,000 and a 'buy-it-now' price of USD 100,000.
Appearing somewhat steeply priced, it is likely that a suitably motivated and skilled threat actor could have recouped their outlay within a year, especially given the reported USD 10,000 monthly earnings, although, given that the auction failed to find a buyer, the 'market' didn't agree with this valuation or the viability of Cerberus following its detection by Google Play Protect.
Source Code Release
Following the failed auction attempt, and potentially in an attempt to restore confidence in the group, 'Android' posted a message to the 'XSS[.]is' forum on 5 August 2020 to confirm that they would be fulfilling any financial commitments to existing customers, presumably by refunding them any access payments, and that the source code would be made available to the forum's members (Figure 7).
Figure 7 - Forum post indicating the release of the Cerberus Source Code to members of XSS[.]is
v2 version. Flipper.
Since our team (before that the team) ran this business cleanly, as beautifully as possible, we will finish it beautifully.
For 70% of clients, financial obligations have already been closed. The remaining ones are asked to unsubscribe in a PM or Telegram, do not forget to write your Jabber, the license key and the server IP. This is so that I can be sure that you are the owner of the license. It is also advisable to attach the APK file.
Sources to be torn apart, especially for xss[.]is
Cerberus v1 + Cerberus v2 + install scripts + admin panel + sql db
Seemingly available on various underground forums from around 7 August 2020, a subsequent post by 'Android' on the XSS[.]is forum on 10 August 2020 included a cleaned-up archive (Figure 8).
Figure 8 - Cerberus source code release on XSS[.]is
Guys, and wrap-up.
Cerberus v1 + Cerberus v2 + install scripts + admin panel + sql db
Archive cleared of garbage.
Everything for those who want to start their own business. Full pack.
In the header, I replaced the link to it.
For moderators, please re-upload to other [file sharing services] so that the file will live for a long time.
Analysis of the source code archive indicates that the directories have modification dates of 5 August 2020, confirming the archive creation of the file that aligns with the forum posts, whilst the files, excluding any open-source libraries used, have various modification dates between 31 March 2019 and July 21 2020, again consistent with what is known about Cerberus' recent development.
Note: For reference, sample file hashes for the released Cerberus source code are provided in Appendix A.
Included within the main archive are four main directories:
moduleBot2- Java source code and assets for the Cerberus v2 Android payload including build files for use with the 'Gradle' build automation tool. Based on application icons found within the directory structure, the threat appears to mimic a 'Santander' banking app but it is understood that this would be customizable when using the 'builder' control panel.
restapi_v2- Seemingly allowing interactions between bots and the C2 server/control panel, the REST API directory includes PHP code and provides an insight into the status of a bot including the relatively short period of time elapsed for it to be considered 'dead' (albeit understandable given that most people will keep their mobile phone online at all times):
0- Online (Bot has been visible within the last 2 minutes);
1- Offline (Bot has been visible within the 40hrs but not last 2 minutes);
2- Dead (Bot has not been seen within the last 40hrs);
source_mmm- Java source code and assets for the Cerberus v1 Android payload, again including build files for use with the 'Gradle' build automation tool.
Furthermore, a SQL dump file is included within the archive and provides an insight into the backend database behind the Cerberus control panel. In addition to this database backup detailing the data stored on bots and compromised hosts, base64-encoded 'injects' are included to mimic and steal credentials or payment card data by posing as the following Android applications:
- Connect for Hotmail & Outlook (
- Gmail (
- Imo (
- Instagram (
- mail.com Mail (
- Microsoft Outlook (
- Snapchat (
- Telegram (
- Twitter (
- Uber (
- Viber Messenger (
- WeChat (
- WhatsApp Messenger (
- Yahoo Mail (
- Connect for Hotmail & Outlook (
Whilst the immediate threat from Cerberus has been countered by Google Play Protect, the release of the source code provides other threat actors with the ability to analyse and understand how Cerberus' modular capabilities were implemented, potentially allowing others to extend them or reuse the code in other Android threats.
As is to be expected of a successful Android threat, Cerberus claims to work on devices using Android 5 or later and, have gained 'accessibility' permissions, can automatically permit additional permissions for itself including:
Given these permissions, many capabilities can be identified, such as those that are consistent with a remote access trojan gaining access to, and control over, the device:
- Screenshot and audio recording;
- Keylogging from within applications;
- Access and exfiltrate contacts;
- Device location tracking;
- Application download, execution and removal;
- Device lock;
- Mute all device sound and disable vibrate alerts;
Additionally, specific banking trojan capabilities provide the means to gather credentials and payment card data as well as thwarting additional security measures such as one-time passwords, multi-factor authentication and voice calls:
- Access, send, receive and delete SMS (ideal for capturing one-time passwords);
- Call forwarding (potentially allowing the interception of voice calls);
- Credential and payment card data theft through application injections;
- Local installation and automatic (timed) enable of injections to allow operation with limited network coverage;
- Theft of multi-factor authentication codes from Google Authenticator;
In an attempt to evade security controls and thwart analysis, Cerberus implemented anti-emulator code to ensure that it was only executed on a valid physical device, attempted to disable Google Play Protect, albeit until its detection, and provided a self-destruct mechanism to remove traces of the bot to prevent post-incident analysis.
Finally, command and control (C2) traffic is RC4 encrypted and base64-encoded using a random key. Subsequently, 'call home' communications include useful data about the device which is viewable within the control panel:
- Android operating system version;
- Battery status;
- Device manufacturer/model;
- IP address;
- Network operator;
- Telephone number;
- System locale (Country and language);
- Screen status (Locked or Unlocked);
- Google Play Protect status;
- SMS intercept status;
- Availability of bank, card and email credentials/data;
- Infection date and bot up-time;
- Telephone activity, used to determine if it is an emulator;
Features: hide SMS, lock device, mute sound, keylogger, injection
Cerberus makes use of 'injections' to target legitimate applications, including those related to banking, email, messaging, retail and social media, with pages that mimic the targeted application interface and prompt for credentials and/or payment card details from the victim (Figure 9).
Figure 9 - Example 'injects' mimicking legitimate application interfaces
These HTML-based injects are provided as a single file asset, allowing them to be easily stored within the command and control (C2) database and distributed to victim devices, integrating cascading style sheets (CSS) to ensure the layout is consistent with the targeted application as well as embedding base64-encoded images (Figure 10).
Figure 10 - Example embedded base64-encoded PNG image within the inject HTML file
Once deployed, a victim would be presented with the inject when attempting to access a targeted application and, assuming they fall for the ruse, the data entered is inserted into a JSON data structure ready for exfiltration by Cerberus to the C2 infrastructure.
Seemingly a 'starter kit' was offered by Cerberus with a handful of injections to target Italy, France, Turkey and the United States, whilst additional injections could be purchased (Figure 11).
Figure 11 - Cerberus 'Tweet' indicating the sale of injects
Notably, in addition to base64-encoded injects embedded within the SQL dump file distributed with the Cerberus control panel source code, archives of this recent release distributed on underground forums include over 200 additional inject files potentially including some that would have previously been charged for.
Note: For reference, a full list of the injects distributed with the Cerberus source code are provided in Appendix B.
Given that these inject files mimic many current mobile applications, the release of this large set could allow other malware authors to incorporate them into their own mobile threats as well as being of use to any threat actor that can make use of, or further develop, the Cerberus source code.
Potential Future Developments
As is common with cybercrime threats originating from Russia or countries within the Commonwealth of Independent States (CIS), threat actors will only target victims in other countries as confirmed by a string variable within Cerberus' source code containing a safe list of country codes:
public String strCIS = "[ua][ru][by][tj][uz][tm][az][am][kz][kg][md]";
Since the public release of Cerberus' source code, other seemingly less-patriotic threat actors have removed or modified this restriction and there is now reportedly an increase in victims within Russia and CIS countries.
Aside than this shift in targeting, no other region has been identified as suffering from increased attacks although, with time, other threat actors may seek to leverage their access to the source code and potentially launch attacks in regions where Android devices are prevalent whilst less likely to be protected by current versions of Google Play Protect.
In addition to threat actors taking the Cerberus source code 'as-is' and attempting to launch their own campaigns, especially given that an 'enterprising' user on the XSS[.]is forum is offering an installation service for just USD 300 (Figure 12), others may seek to build upon the existing code or create their own variants to resolve the issues that caused Google Play Protect to detect the threat.
Figure 12 - XSS[.]is forum member offering proof of their Cerberus install service
One such example that has been reported as a variant of Cerberus is a threat dubbed 'Alien' although, both the creators of Alien and Cerberus have denied any link between the two.
Providing any would-be successor with the necessary information to resolve Cerberus' issues, two suggestions are given to counter Google Play Protect's ability to scan application resources (Figure 13).
Figure 13 - Denial of link to 'Alien' and Cerberus 'solution' proposals
Alien is based entirely on Anubis.
Our bot died due to one problem, the play-protection started scanning the resources of the APK file.
Initially, Cerberus was developed as a modular bot, loading malicious code into resources, and at that time Play Protect was unable to scan application resources.
At the moment, our module has signatures, and bots "die" when it is loaded. The solution is to remove the module from the code and encrypt the entire APK, but then the size of the APK will be very large.
Solution number two: encrypt the module.
Why didn't we do it?
We had one module for all clients, and since the team was crumbling, it was not possible to find new programmers who would make their own module for each client individually.
As a result, our clients could not encrypt the module for themselves. We encrypted the module 5 times, and each crypt fell the next day according to the signatures, and in the end our hands dropped, since this is not a solution to the problem.
Whilst it is likely only a matter of time before a suitably skilled nefarious developer resolves the issues with Cerberus, the release of the source code will undoubtedly assist the Google Play Protect team in creating countermeasures. That being said, organizations should still encourage users to, and individuals should, be cautious whenever prompted to install Android packages (APK) from unverified sources, be that a browser pop-up, an email or from a third-party app marketplace.
Appendix A - Samples
The following SHA-256 file hashes relate to the leaked files, as observed on multiple underground forums, and may prove beneficial to security professionals wishing to perform their own analysis of the threat:
- Initial source code release
- 'Cleaned-up' source code release
- Injections collection
- Bundle containing the above, released on 'Alphazine[.]ru'
Given the current status of Cerberus, indicators of compromise (IOC) related to past Cerberus threats are somewhat redundant although the command and control (C2) Tor hidden service still appears to be accessible via
cerberesfgqzqou7.onion (Figure 14).
Figure 14 - Cerberus control panel Tor hidden service
Additionally, the following HTTP command and control (C2) communication strings were observed within the source code and may appear in derivative works:
action=timeInject&data=;public String str_http_19 = "action=sendKeylogger&data="; public String str_http_20 = "action=getModule&data="; public String str_http_21 = "action=checkAP&data=";
Appendix B - Injections
Injection files have been provided alongside the Cerberus source code and target the following legitimate Android applications:
- ABANCA Empresas
- ABANCA Banca Móvil
- ABN AMRO Mobiel Bankieren
- Amazon Shopping
- ASB Mobile Banking
- Banca Digital Liberbank
- Banca Móvil Laboral Kutxa
- Banca MPS
- Banca Transilvania
- Banco Caixa Geral España
- Banco Itaú Empresas
- Banco Sabadell
- Bank Austria MobileBanking
- Bank Hapoalim (בנק הפועלים)
- Bank Millennium
- Bank Millennium for Companies
- Bank of America Mobile Banking
- Bank of Melbourne Mobile Banking
- Bankinter Móvil
- BankSA Mobile Banking
- Banque Populaire
- Banque pour tablettes Android
- Barclays Kenya
- BBVA Net Cash
- BBVA Spain
- BEA (東東亞亞銀銀行行)
- Bendigo Bank
- BHIM UPI, Money Transfer, Recharge & Bill Payment
- Bi en Línea
- Bill Payment & Recharge,Wallet
- Bitcoin Wallet Coincheck
- Blockchain Wallet
- BMO Mobile Banking
- BNP Paribas GOMobile
- BOQ Mobile
- Boursorama Banque
- BPI APP
- BPS Mobilnie
- BusinessPro Lite
- CA24 Mobile
- Capital One® Mobile
- Carige Mobile
- Carrefour Finance
- Chase Mobile
- CIBC Mobile Banking
- Citi Handlowy
- CMSO my bank
- Coinbase Wallet — Crypto Wallet & DApp Browser
- comdirect mobile App
- Commerzbank Banking
- Connect for Hotmail & Outlook
- Crédit du Nord pour Mobile
- Crédit Mutuel
- Crédit Mutuel de Bretagne
- ČSOB Smartbanking
- CUA Mobile Banking
- DB Pay
- Deutsche Bank Mobile
- Discount Bank
- Discover Mobile
- Empik Foto
- Enpara.com Cep Şubesi
- eurobank mobile 2.0
- EVO Banco móvil
- Fifth Third Mobile Banking
- Fortuneo, mes comptes banque & bourse en ligne
- Garanti BBVA Mobile
- Getin Mobile
- GMO Wallet
- Grupo Cajamar
- Halifax Mobile Banking
- Halkbank Mobil
- HSBC Mobile Banking
- HVB Mobile Banking
- iBiznes24 mobile
- IDBI Bank GO Mobile+
- Idea Bank PL
- imo free video calls and chat
- iMobile by ICICI Bank
- ING Banking to go
- ING Business
- ING España
- ING Italia
- Intesa Sanpaolo Mobile
- Intesa Sanpaolo Mobile
- iPKO biznes
- Kraken Pro
- Kuveyt Türk
- L'Appli Société Générale
- La Mia Banca
- La Poste
- Leumi (לאומי)
- Liquid by Quoine
- Lloyds Bank Mobile Banking
- Ma Banque
- mail.com mail
- mBank PL
- Mes Comptes
- Mes Comptes BNP Paribas
- Mi Banco db
- Mi Banco Mobile
- Microsoft Outlook
- Mizrahi Bank (מזרחי טפחות)
- Mobile Banking UniCredit
- Mobile BiznesPl@net
- Mobilni Banka
- Mobilny Portfel
- Mój Orange
- Moje ING mobile
- N26 Mobile Banking
- NAB Mobile Banking
- NBapp Spain
- Nest Bank nowy
- norisbank App
- Oney France
- PayPal Mobile Cash
- People's Choice Credit Union
- Pocket Bank
- Postbank Finanzassistent
- QNB Finansbank Mobile Banking
- Raiffeisen ELBA
- Raiffeisen Smart Mobile
- Rakuten Bank (楽楽天天銀銀行行)
- RBC Mobile
- Rossmann PL
- Santander Banking
- Santander Empresas
- Santander mobile
- SecureApp netbank
- ŞEKER MOBİL ŞUBE
- Smart Mobile Banking
- Sparkasse Ihre mobile Filiale
- St.George Mobile Banking
- Sumishin SBI Net Bank (住住信信SBIネネッットト銀銀行行)
- Suncorp Bank
- SunTrust Mobile App
- TARGOBANK Mobile Banking
- The International Bank (הבנק הבינלאומי )
- Touch 24 Banking BCR
- Triodos Bank
- U.S. Bank
- UBI Banca
- Union Bank (בנק אגוד)
- Union Bank Mobile Banking
- USAA Mobile
- Usługi Bankowe
- VakıfBank Mobil Bankacılık
- Viber Messenger
- Volksbank house banking
- VR Banking Classic
- Wells Fargo Mobile
- Western Union ES
- WhatsApp Messenger
- Yahav Bank (בנק יהב)
- Yahoo Mail
- Yapı Kredi Mobile
- Yono Lite SBI
- Ziraat Mobile