The ‘Cerberus Trojan’ : Way to ‘ Paatal lok’

On one side the entire world is going through tough time of Coronavirus (COVID-19) and on the other side hackers/fraudsters are using malicious Trojan virus ‘Cerberus’ to steal the users’ financial data such as credit card details & Banking account details.

With the rise of cyber threats from Cerberus, the CBI has put out an alert on malware that could steal your financial information.

What is Cerberus?

Cerberus, in Greek mythology, a multi-headed monster said to be the watchdog of the underworld. Here, this banking Trojan (a Trojan is a malicious code or software that looks legitimate) was created in 2019 and is a malware for hire for banking forums. It allows remote attackers to take control over infected android devices and can take screenshots, send, delete SMSes, and most importantly, steal your account information.

This malicious software takes advantage of COVID-19 pandemic to impersonate and lure the victim by sending SMS containing COVID-19 related content to download the embedded malicious link and deploys its malicious app, which usually spread via phishing campaigns to trick users into installing it on their smartphones.

This Trojan primarily focuses on stealing financial data such as credit card details, bank accounts information, passwords etc. The stolen data could be used to make unauthorized transactions from the compromised credit card/ Bank accounts.

Understanding a banking Trojan?

A banking Trojan is a malware that disguises itself as a credible app or software that users can download and install. Once in the system, it positions itself to access your banking details by disguising itself as an app that requires permission to be used.

It is a type of malicious code or software that looks genuine but with the capability of taking control of one’s computer. A Trojan is designed to damage, disrupt, steal, or inflict harmful action on data or network.

How it affects our phone and steals financial data?

The Trojan virus contacts smartphone users via text messages and asks to click on a link saying it will provide COVID-19 updates. Once clicked, the link installs a malicious application on their phones.

Upon reaching the target device, the malware hides and asks the user an accessibility service privilege. Once granted, the malware then automatically gains access to other features without user interaction. It then disables Google’s Play Protect to avoid detection in the future and registers the victim device. 

Once the device becomes infected with Cerberus trojan, the malware is embedded in the applications without showing the icon. It often takes the form of commonly used applications that we need to switch on often, like the Flash Player Service, to gain accessibility permission. After permission is granted, it will allow the hacker to gain control over the device remotely.

To steal users’ credit card numbers, banking credentials and passwords for online accounts, Cerberus launch ‘screen overlay attacks.’ This means that the hacker will be able to capture the data the user enters into an app that you are entering by casting a transparent overlay. E.g. Cerberus can display an overlay on top of an actual mobile banking app and can trick the users into entering their banking credentials into the fake login screen.

 

Specific feature of the Cerberus Trojan which makes it dangerous than other Banking Trojan Malware

Although there are no new features in the theft of banking credentials, what has been introduced in Cerberus is a specific injection to steal the device unlock pattern configured by the device user.

The Cerberus malware was discovered last year in June 2019 as an Android banking Trojan. However, its features were recently upgraded with RAT (Remote Access Trojan) abilities, which increase its threat level significantly.

It has been restructured and enhanced with the ability to steal multi-factor authentication (2FA) tokens from the Google Authenticator application. To do this, it simply makes use of the accessibility service, and through it reads the contents of the interface and sends the codes to the control server. Google Authenticator app was launched in 2010 as the more secure alternative for SMS Authentication codes. The app works by providing six to eight-digits unique codes that user must enter in login pages to access accounts.

Apart from being able to tamper the authenticator application, the Cerberus can also steal device screen-lock credentials – PIN codes and swipe patterns alike, allowing the hackers to unlock the device remotely to perform fraud when the victim is not using the device.

What makes Cerberus specifically a dangerous Trojan is that it has specified attacks for 30 unique targets and banking apps, and it can keep making unique targets for its attacks. The list includes 15 banking apps; 7 French, 1 Japanese, and 7 US apps, and 15 non-banking apps including Gmail, Twitter, Snapchat, WhatsApp, Telegram, Instagram, Viber, Yahoo Mail, Microsoft Outlook, and Uber.

Few common features of the Trojan Malware:

• taking screenshots
• recording audio
• recording keylogs
• sending, receiving, and deleting SMSes,
• stealing contact lists
• forwarding calls
• collecting device information
• Tracking device location
• stealing account credentials,
• disabling Play Protect
• downloading additional apps and payloads
• removing apps from the infected device
• pushing notifications
• locking device’s screen

Tips to be safe from this dangerous Trojan:

• Never click on email/ SMS attachments or links that come from an unknown sender, i.e. Click with caution. Only click on links from trusted sources. If you receive an email or text message from an unknown sender asking you to click on a suspicious link, stay cautious and avoid interacting with the message altogether
• Update your passwords regularly and make sure they are strong. -Install anti-malware software on your phone
• Be careful what you download. Cerberus malware uses social engineering strategy to make its way onto a victim’s device. Therefore, think twice before you download anything or even plug into your device.
• Use comprehensive security. Whether you’re using a mobile banking app on your phone or browsing the internet on your desktop, it’s important to safeguard all of your devices with an extra layer of security. Use robust security software like McAfee Total Protectionetc so you can connect with confidence.
• Back up all the important files and store them independently on a different system
• Disable all third-party applications installed in your phone, which could be vulnerable entry points.
• Report phishing links to cybercrime.gov.in.
• Banking sector are issuing related advisory to their customers against the Cerberus Trojan Malware.
• State Bank of India has also issued an advisory for its customers against the Cerberus Trojan quoting ‘Beware of fake SMSs claiming to provide big offers or information on current pandemic via unknown links or downloading apps from unknown sources, as they are meant to cheat you’.