Cereberus Banking Trojan Targeted Spanish Android UsersResearchers: App Initially Acts Benign to Avoid Detection
A fake currency converter app in the official Google Play store, which has been downloaded more than 10,000 times since March, hid a banking Trojan and information stealer called Cerberus, according to Avast Mobile Threat Labs.
The fake app, called "'Calculadora de Moneda," appears to have targeted only Android users in Spain, Avast says. Researchers determined this app managed to bypass security features embedded in the Google Play store that are designed to keep out malware.
"This banking Trojan managed to sneak onto the Google Play Store. The 'genuine' app, in this case, posed as a Spanish currency converter called 'Calculadora de Moneda,'" says Ondrej David, malware analysis team leader at Avast.
On Monday, after the researchers had begun investigating the suspicious Calculadora de Moneda app, the command-and-control server associated with the malware appeared to have stopped operating, the report notes.
Avast reached out to Google to inform the company about the fake app. A Google spokesperson could not be immediately reached for comment, but and a scan of the Play Store could not locate the Calculadora de Moneda converter.
And while the Avast report noted that the app had been downloaded more than 10,000 times since March, the researchers did not note if the banking Trojan stole any credentials or data.
Over the last several months, researchers have noted an uptick in the number of banking Trojans targeting users. Analysts have found malware such as IcedID and Qbot being revamped or more widely used by malicious actors (see: Revamped IcedID Banking Trojan Campaign Uses COVID-19 Lure and Researchers: Qbot Banking Trojan Making a Comeback).
The currency converter app that Avast discovered was designed to avoid detection by both the user and Google Play Store's security tools. When an Android user first downloaded the app, it did not immediately perform any malicious activity that would raise suspicion. Instead, it simply acted as a money converter, according to the Avast report. The researchers found that this was part of an obfuscation technique and the money converter actually acted as a dropper.
After a few weeks, the app contacted a command-and-control server operated by the fraudsters and downloaded a malicious Android application package called "Banker" onto infected devices, according to the researchers' report.
Even when the Banker malware was downloaded, the Calculadora de Moneda app functioned as normal without any additional malicious activity, the researchers note.
"Later versions of the currency converter included a 'dropper code' but it still wasn't activated initially, i.e. the command-and-control server instructing the app wasn't issuing any commands and so users wouldn't see and download the malware," the report notes.
Ready to Run
After a few more weeks, the app contacted the command-and-control server for a second time. At this point, the actual Trojan - Cerberus - was downloaded to the device, and it then attempted to steal banking data and credentials from the victim, according to the report.
Once fully installed, Cerberus "sat" over the victim's legitimate banking app waiting for the user to log into their account. The malware created a layover across the login screen of the victim's banking app, which could then steal credentials and other data, according to the report.
In addition to stealing credentials, Cerberus could intercept and read text messages on an infected Android device, which allowed it to bypass two-factor authentication security.
The Avast researchers note that most of the Cerberus Trojans started downloading to infected devices around July 1. By Monday, however, the command-and-control server stopped functioning and the attacks appear to have stopped.
"Although this was just a short period, it's a tactic fraudsters frequently use to hide from protection and detection, i.e. limiting the time window where the malicious activity can be discovered," David noted in the report.
Malware and Google Play
While the security features within the Google Play store are supposed to scan and block apps that contain malware such as Cerberus, researchers have noted that fraudsters have been getting better at designing fake apps that avoid detection.
In April, for example, Kaspersky published a report that found a sophisticated spyware campaign has been targeting Android users through Trojan-laced apps in the Google Play Store that are disguised as various plugins, browser cleaners and application updaters (see: Spyware Campaign Leverages Apps in Google Play Store).