{
	"id": "fcd6ed2d-f485-42f0-9fdf-b53f0ddd62ea",
	"created_at": "2026-04-06T00:13:08.498959Z",
	"updated_at": "2026-04-10T13:12:28.559255Z",
	"deleted_at": null,
	"sha1_hash": "07af657d99a1c411891c17e4fe0e243e2c250cc7",
	"title": "Upgraded Cerberus Spyware Spreads Rapidly via MDM",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71745,
	"plain_text": "Upgraded Cerberus Spyware Spreads Rapidly via MDM\r\nBy Tara Seals\r\nPublished: 2020-05-01 · Archived: 2026-04-05 20:54:53 UTC\r\nNo longer a simple Android banker, Cerberus is now a full-fledged RAT that can take complete control of devices\r\nand automatically spread via mobile device management servers.\r\nA newly discovered variant of the Cerberus Android trojan has been spotted, with vastly expanded and more\r\nsophisticated info-harvesting capabilities, and the ability to run TeamViewer.\r\nIt was spotted by researchers being used in a targeted campaign on a multinational conglomerate. Unusually, the\r\nsample propagated through the employee pool via the infected company’s mobile device management (MDM)\r\nserver.\r\nCerberus first emerged last August on underground forums, offered in a malware-as-a-service (MaaS) rental\r\nmodel. At the time it was presented as a standard banking trojan that set itself apart mainly in the way it\r\ndetermines whether it’s running in a sandbox environment: It uses the device’s accelerometer sensor to implement\r\na step-counter. It activates the malware’s functions once it hits a preconfigured threshold.\r\nAt the time, researchers at ThreatFabric said that Cerberus was clearly still in active development, with a limited\r\nset of features. However, Check Point analysts earlier this year discovered a freshened-up sample, showing that\r\nCerberus has moved far beyond those initial, simple banking trojan capabilities to become a full-fledged spyware.\r\nTo wit: The latest sample can steal a whole raft of users’ information, such as call logs, SMS, credentials and\r\ninstalled applications. And perhaps most damagingly, cyberattackers can gain complete remote control of the\r\ndevice by running the TeamViewer remote access application.\r\n“This new variant is equipped with more than the average banker – it has mobile remote access trojan (MRAT)\r\ncapabilities,” according to Check Point’s writeup this week. “These capabilities include logging all keystrokes on\r\nthe device (credentials included), stealing Google Authenticator data and any SMS received (two-factor\r\nauthentication included), and commanding the device remotely via TeamViewer.”\r\nCerberus: Full-On Spyware\r\nWhen the researchers took a look under the hood of the new variant, they noticed that the malware, when first\r\ninstalled, first shows a window that purports to be an update for the phone’s Accessibility service. If dismissed, the\r\nwindow keeps popping up until the user accepts the update.\r\nhttps://threatpost.com/cerberus-trojan-major-spyware-targeted-attack/155415/\r\nPage 1 of 3\n\nOnce the user accepts, the malware then uses the Accessibility service to automatically click on menu options and\r\nbypass user interaction. For instance, the application registers a receiver for SMS, and uses that status to collect\r\nincoming SMS messages and send them to the command-and-control (C2) server. It also collects device\r\nfingerprinting information and a raft of other potentially sensitive data.\r\n“The main module can use the Accessibility service to steal Google authenticator credentials, Gmail passwords\r\nand phone unlocking patterns,” according to the writeup. “This module can send the C2 a list of files and installed\r\napplications, and can even upload a specific file upon request from the C2 server. In addition, all the user’s\r\nkeystrokes are logged and sent to the server, showing the actor all activities being performed on the device. The\r\nmalware waits for the Google Authenticator application to be accessed, at which point all available information is\r\nread and stored to be sent to the C2.”\r\nIt also runs the TeamViewer application while keeping the device unlocked. When running TeamViewer on\r\nSamsung devices, the malware utilizes Samsung KNOX to automatically grant permissions. The module also\r\nblocks attempts to uninstall TeamViewer and prevents the user from using it themselves, so as not to interfere with\r\nthe attacker’s actions on the device.\r\nOne of the other functions of the main application is to receive a DEX file from the C2, which is an additional\r\npayload module.\r\n“The application receives a list of commands to perform – which are configurable by the actor,” according to the\r\nCheck Point analysis. “Once the appropriate command is received, the malware downloads an encoded DEX file,\r\nand saves it on the device’s external storage as ‘ring0.apk.'”\r\nThis module is responsible for additional nefarious activities beyond data exfiltration.\r\n“The ring0.apk module can collect all contacts, SMS and installed applications and send it to the C2,” according\r\nto Check Point. “This module also can perform phone-related actions such as sending specific SMS messages,\r\nmaking calls and sending Unstructured Supplementary Service Data (USSD) requests. In addition, this module\r\ncan show notifications, install or uninstall applications and open popup activities with URLs.”\r\nUSSD, sometimes referred to as “quick codes” or “feature codes,” is a communications protocol responsible for\r\ncommunication between phones and a wireless carrier’s infrastructure.\r\nThe ring0.apk module is also responsible for cleanup, and can remove itself both from the device’s administrators\r\nlist, and from the device itself. It also grants itself permissions and can fetch updated payload modules.\r\nMDM Expands Corporate Damage\r\nCheck Point became aware of Cerberus’ upgrade after it infiltrated a multinational conglomerate. It quickly went\r\non to infect more than 75 percent of the company’s devices, prompting the company to do a factory reset for all of\r\nits mobile devices.\r\n“We know that every credential used from an unprotected device was reported to the C2 server,” according to the\r\nreport. “We also know that every SMS message was intercepted. This makes it possible for us to speculate\r\nregarding the potential damage for the affected company.”\r\nhttps://threatpost.com/cerberus-trojan-major-spyware-targeted-attack/155415/\r\nPage 2 of 3\n\nTwo malicious applications harboring the same Cerberus sample were found to be installed on a large number of\r\nthe customer’s devices. The apps had been installed “in a very short window of time,” suggesting automation.\r\nThat led the forensics team to discover that the customer’s MDM had been breached.\r\n“This is the first time we have a reported incident of mobile malware distribution that uses the MDM server as an\r\nattack vector,” according to Check Point. “MDM’s most prominent feature, arguably the reason for its existence, is\r\nalso its Achilles’ heel – a single, central control for the entire mobile network. If that platform is breached, so is\r\nthe entire mobile network.”\r\nThe attack, given how it unfolded, appeared to be a targeted attack against the company. In terms of attribution,\r\nCheck Point was able to determine that the C2 listens on port 8888, and there is no hostname, just a Russian IP\r\naddress.\r\nWhile all communications with the C2 could have been blocked, to err on the side of caution, the company went\r\nforward with a factory reset on all devices.\r\n“If one unprotected device was used by an administrator who then tried to access corporate resources with his\r\ncredentials, those credentials, along with any 2FA SMS codes, are compromised,” said the researchers. “This type\r\nof response is extremely costly, both in conducting the damage assessment and re-establishing the entire mobile\r\nnetwork after the factory reset.”\r\nInbox security is your best defense against today’s fastest growing security threat – phishing and Business\r\nEmail Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE\r\nwebinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on\r\nhow to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this\r\nsponsored webinar.\r\nAlso, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing\r\nthe Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.\r\nSource: https://threatpost.com/cerberus-trojan-major-spyware-targeted-attack/155415/\r\nhttps://threatpost.com/cerberus-trojan-major-spyware-targeted-attack/155415/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/cerberus-trojan-major-spyware-targeted-attack/155415/"
	],
	"report_names": [
		"155415"
	],
	"threat_actors": [
		{
			"id": "f276b8a6-73c9-494a-8ab2-13e2f1da4c53",
			"created_at": "2022-10-25T16:07:24.441133Z",
			"updated_at": "2026-04-10T02:00:04.993411Z",
			"deleted_at": null,
			"main_name": "Achilles",
			"aliases": [],
			"source_name": "ETDA:Achilles",
			"tools": [
				"RDP",
				"Remote Desktop Protocol"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434388,
	"ts_updated_at": 1775826748,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/07af657d99a1c411891c17e4fe0e243e2c250cc7.pdf",
		"text": "https://archive.orkl.eu/07af657d99a1c411891c17e4fe0e243e2c250cc7.txt",
		"img": "https://archive.orkl.eu/07af657d99a1c411891c17e4fe0e243e2c250cc7.jpg"
	}
}