{
	"id": "77fb3deb-ecb0-4205-b0a9-11d247a78c06",
	"created_at": "2026-04-06T00:09:49.259829Z",
	"updated_at": "2026-04-10T03:20:19.493223Z",
	"deleted_at": null,
	"sha1_hash": "2473507e29c3bf9efbbbf099744e93e8bb212974",
	"title": "Cerberus RAT: Android malware’s dark legacy in 2025",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 317261,
	"plain_text": "Cerberus RAT: Android malware’s dark legacy in 2025\r\nBy Norman G.\r\nPublished: 2025-06-27 · Archived: 2026-04-05 20:56:15 UTC\r\nIn 2020, Cerberus RAT made headlines as one of the most sophisticated Android banking trojans ever seen. In\r\n2025, its shadow still looms.\r\nOriginally distributed as a Malware-as-a-Service (MaaS), Cerberus could steal banking credentials, hijack two-factor authentication, and give attackers full remote control over Android devices—all while evading detection. It\r\ndidn’t just compromise personal devices; it redefined mobile threat tactics for years to come.\r\nWhile Cerberus itself is no longer active, its leaked source code gave rise to a new generation of Android malware\r\n—Alien, Hook, Octo, and other Cerberus-class threats—that continue to target users today with even more\r\nadvanced capabilities. Many of these threats are based on the original Cerberus code, which has been retooled by\r\ncybercriminals to create new banking trojans such as Alien, ERMAC, and Phoenix, highlighting the ongoing risks\r\nposed to Android users by these evolving malware variants.\r\nThese remote access trojans (RATs) exploit Android’s accessibility features, mimic legitimate apps, and silently\r\ndrain credentials, messages, and control from infected devices.\r\nThis article explores the evolution of Cerberus, its impact on today’s threat landscape, and what IT and security\r\nteams must do in 2025 to protect their organizations from mobile malware built on its legacy.\r\nTL;DR: What You Need to Know About Cerberus RAT in 2025\r\nCerberus was a powerful Android banking trojan active in 2019–2020.\r\nIt gave attackers full remote access, 2FA bypass, keylogging, and phishing via overlays.\r\nAfter its source code leaked, malware like Alien, Hook, and Octo emerged using its code.\r\nThese Cerberus-based threats are still active in 2025, targeting finance, crypto, and sensitive user data.\r\nIT teams must act: deploy mobile threat defense (MTD), restrict Accessibility Services, and train users.\r\nCerberus may be gone—but its legacy still endangers Android devices worldwide.\r\nWhat is Cerberus RAT?\r\nCerberus RAT is a sophisticated type of Android malware known as a remote access trojan (RAT). First\r\ndiscovered in 2019, Cerberus was designed to give attackers full control over infected Android devices while\r\nstealing sensitive data through a combination of keylogging, screen recording, and overlay attacks.\r\nAt its core, Cerberus is also a banking trojan, built to intercept login credentials, hijack SMS-based two-factor\r\nauthentication (2FA), and extract financial data from banking and cryptocurrency apps. Cerberus delivers a\r\nbanking trojan payload designed to perform malicious activities, such as stealing login credentials and targeting\r\nfinancial applications, by performing malicious actions and other malicious activities on infected devices.\r\nhttps://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/\r\nPage 1 of 9\n\nIt abuses Android’s Accessibility Services to escalate privileges, evade detection, and persist on devices.\r\nUnlike traditional RATs used on desktops—such as those operating via tools like VNC or TeamViewer—Cerberus\r\nwas built specifically for mobile environments, with features tailored to Android’s architecture. It could even\r\ninitiate its own TeamViewer session on a victim’s phone to grant attackers real-time control—without any user\r\ninteraction.\r\nAlthough the original Cerberus operation shut down in 2020, its leaked source code continues to fuel modern\r\nAndroid malware strains like Alien, Hook, and Octo, making its threat legacy very much alive in 2025.\r\nThe rise of Android banking malware\r\nAs mobile banking adoption skyrocketed over the past decade, so did the interest of cybercriminals in targeting\r\nsmartphones—especially those running the Android operating system. With millions of users now relying on\r\nmobile apps to manage finances, pay bills, and access digital wallets, Android banking malware has become one\r\nof the fastest-growing threats in the cybersecurity landscape.\r\nAndroid’s popularity—combined with its open ecosystem and widespread use of third-party app stores—has made\r\nit the #1 target for mobile-focused attacks. Threat actors take advantage of the platform’s flexibility to distribute\r\nmalicious APKs, disguise trojans as a legitimate app, and exploit Android’s Accessibility Services to gain deeper\r\ndevice control. These malicious apps often specifically target banking apps and are designed to deceive Android\r\nusers by mimicking the appearance of a legitimate app, making it difficult for users to distinguish between a real\r\nand a fake application.\r\nNotable banking trojans such as Anubis, Hydra, Ginp, and Gustuff have dominated mobile threat reports for years.\r\nThese malware families are capable of stealing login credentials, intercepting SMS codes, and initiating\r\nunauthorized transactions. Among them, Cerberus stood out for its advanced remote access capabilities, stealth\r\npersistence, and for laying the groundwork for even more dangerous successors like Alien and Hook.\r\nAs the mobile threat landscape evolves, banking trojans have become more modular, evasive, and commercialized\r\n—posing a growing risk to both individual users and corporate mobile fleets.\r\nCerberus RAT: core capabilities and infection strategy\r\nCerberus is not your average Android malware. As an advanced Android remote access trojan (RAT), it was\r\ndesigned with powerful surveillance and credential theft features—turning infected smartphones into fully\r\ncontrollable tools for cybercriminals.\r\nOnce installed, Cerberus RAT infiltrates deeply into the Android system by abusing Accessibility Services,\r\nallowing it to bypass user permissions and automate interactions without detection. After infection, the\r\ncompromised device can have its device settings manipulated to facilitate further malicious actions, maintaining\r\npersistence and control over the infected device. This opens the door to a wide range of malicious capabilities:\r\nCore capabilities of Cerberus RAT\r\nhttps://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/\r\nPage 2 of 9\n\nKeylogging: Captures every keystroke entered on the device, including passwords, personal data, and\r\nmessages.\r\nSMS Forwarding \u0026 Interception: Hijacks SMS messages, including one-time passwords (OTPs), enabling\r\nbypass of SMS-based 2FA.\r\nGoogle Authenticator Code Theft: Extracts time-based authentication codes by capturing screen content or\r\naccessing protected UI elements.\r\nScreen Capture: Captures and transmits screen images using virtual network computing (VNC) techniques,\r\nallowing attackers to view and control the device remotely. Cerberus leverages MediaProjection APIs to\r\nsend screen images or videos, enabling remote access and manipulation of the device.\r\nTeamViewer Injection: Deploys a silent TeamViewer session to allow full remote control of the device,\r\nwithout the user’s knowledge.\r\nOverlay Attacks: Uses fake login screens (overlays) to trick users into entering banking credentials, credit\r\ncard details, or email passwords. Cerberus can execute overlay attacks by exploiting accessibility services\r\nand integrating VNC-based remote control capabilities.\r\nAccessibility Services Abuse: Grants itself elevated permissions, disables Google Play Protect, and\r\nprevents uninstallation attempts.\r\nDevice Persistence \u0026 Evasion: Cerberus hides its icon, deletes traces, disables security tools, and evades\r\ndetection by antivirus and Google Play Protect by checking for emulator environments and security apps.\r\nThis combination of features allows Cerberus to remain hidden, maintain control, and extract valuable data over\r\ntime—without triggering suspicion from users or common mobile security tools.\r\nCerberus in the Play Store: The Calculadora de Moneda Case\r\nEven the official Google Play Store—considered a trusted source for Android apps—hasn’t been immune to\r\nCerberus RAT’s infiltration. One of the most revealing incidents involved a seemingly harmless app named\r\n“Calculadora de Moneda” (Currency Calculator), which managed to bypass Google Play Protect and infect users\r\nin Spain.\r\nThe infection process typically involved several steps: the app first acted as a dropper, downloading additional\r\ncomponents, such as native libraries and encrypted payloads, onto the device. It then established dynamic\r\ncommunication with its command and control servers, sometimes using domain generation algorithms to avoid\r\ndetection and maintain persistence. This multi-stage approach represents a sophisticated infection chain designed\r\nto evade detection and ensure successful deployment of the malware.\r\nHow it happened\r\nInitially, the app behaved exactly like a legitimate currency converter. But hidden deep in the APK was a dormant\r\nCerberus payload—designed to \"hibernate\" until it received instructions from a remote command-and-control\r\n(C2) server.\r\nOnce activated, the app triggered a staged malware drop:\r\n1. It connected silently to a C2 server.\r\n2. The server instructed the app to download a second, malicious APK.\r\nhttps://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/\r\nPage 3 of 9\n\n3. That APK contained the full Cerberus RAT malware, which then embedded itself into the Android system.\r\nThe infection process required no user interaction beyond the initial app installation—and even Play Protect failed\r\nto catch it.\r\nWhy this matters\r\nHibernation and delayed execution are increasingly common tactics in Android malware. They help\r\nmalicious apps fly under the radar during initial security scans.\r\nStaged delivery allows attackers to embed only “clean” code in the first submission, then deploy the\r\nmalicious code later—once the app is already published.\r\nThe incident shows how threat actors are exploiting trust in official app stores to distribute remote access\r\ntrojans to unsuspecting users.\r\nThis case is a sobering reminder that Android malware can still reach users via trusted sources, and why even\r\n\"safe-looking\" apps must be approached with caution.\r\nThe source code leak that changed everything\r\nCerberus wasn’t just dangerous because of its features — it became a cybersecurity nightmare the moment its\r\nsource code was leaked into the wild.\r\nThis leak opened the gates to a flood of clones and derivatives, as threat actors began leveraging the Cerberus\r\ncodebase to develop new banking Trojan variants such as Alien, ERMAC, and Phoenix. However, these variants\r\nwere not considered entirely new malware, since they were all based on the original Cerberus code rather than\r\nbeing fresh, original creations.\r\nCollapse of the Original Cerberus Operation\r\nBy mid-2020, cracks were showing in Cerberus’ development team. Internal disputes and stagnating sales of their\r\nmalware-as-a-service (MaaS) platform led the developers to shut down the operation and auction the entire\r\nCerberus toolkit — including the malware code, admin panel, command \u0026 control server, and client interface.\r\nDespite the offer being packed with powerful tools and an existing user base, the auction failed to attract serious\r\nbuyers. Cybercriminals were hesitant to pay thousands of dollars for a project that appeared to be reaching its end\r\nhttps://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/\r\nPage 4 of 9\n\nof life.\r\nSource code hits the underground\r\nWhat happened next changed the Android malware landscape.\r\nFrustrated by the failed sale, the Cerberus operators leaked the full source code for free on underground forums.\r\nThis included:\r\nThe Android trojan’s APK code\r\nBackend control infrastructure\r\nDocumentation and configuration files\r\nMalware modules for keylogging, overlay attacks, SMS forwarding, and more\r\nThis leak opened the gates to a flood of clones and derivatives—many developed by less skilled but highly\r\nmotivated actors.\r\nThe aftermath: A malware mutation wave\r\nWith the code now public:\r\nNew variants like Alien emerged, borrowing heavily from Cerberus’ framework.\r\nJunior threat actors with minimal experience began spinning up their own malware operations, using\r\nCerberus as a plug-and-play kit.\r\nSecurity teams worldwide saw a spike in Cerberus-like activity, complicating detection and remediation\r\nefforts.\r\nAntivirus evasion improved, as cloned versions mutated the codebase just enough to bypass standard\r\ndetection.\r\nWhat began as a single MaaS threat had now become an open-source foundation for Android financial malware.\r\nKey takeaway: The Cerberus source code leak democratized access to advanced mobile RAT techniques, ushering\r\nin a new wave of Android threats that remain active today.\r\nThe Evolution of Cerberus RAT: Timeline from 2019 to 2025\r\n2019 – The Birth of Cerberus RAT\r\nCerberus is first identified as a banking trojan and Remote Access Trojan (RAT) for Android. Sold as a Malware-as-a-Service (MaaS), it offers credential theft, screen recording, 2FA interception, and full remote control\r\ncapabilities.\r\nEarly 2020 – Expansion into Google Play\r\nTrojanized apps using Cerberus code are discovered in the Google Play Store. Attackers deploy multi-stage\r\npayloads to bypass Play Protect, activating malicious features post-installation.\r\nhttps://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/\r\nPage 5 of 9\n\nMid-2020 – Cerberus Source Code Leaked\r\nFollowing internal developer disputes, Cerberus's full source code leaks on hacker forums. The release includes its\r\nbuilder, admin panel, and C2 logic—enabling widespread cloning and modification.\r\nSources: BleepingComputer, BankInfoSecurity\r\nLate 2020 – The Rise of Alien Trojan\r\nAlien malware emerges as a direct fork of Cerberus, with added capabilities like remote shell execution and\r\nimproved obfuscation. It becomes more prevalent in LATAM and Europe.\r\n2021 – Proliferation of Cerberus Variants\r\nLeaked code spawns hybrid trojans combining Cerberus with other malware like Anubis. These clones target\r\ncrypto apps and QR scanners using accessibility abuse and 2FA interception.\r\n2022 – Integration into Custom RAT Kits\r\nCerberus modules are sold via Telegram and dark web markets as part of modular Android malware kits. These\r\nkits are used in attacks on fintech and retail apps.\r\n2023 – Link to Hook and Octo Trojans\r\nHook and Octo Android RATs emerge, displaying core traits from Cerberus and Alien. Features include real-time\r\nscreen streaming, file theft, and enhanced overlay attacks.\r\n2024 – Detection Improves, Legacy Lives On\r\nMobile security tools improve at detecting Cerberus-based behavior through sandboxing and behavioral analysis.\r\nCerberus remains foundational in training AI malware detection models.\r\n2025 – Cerberus-Class Threats Still Circulating\r\nMalware like Teabot, Xenomorph, and BrasDex still reuse Cerberus techniques such as overlay injection and\r\nscreen capture. Its legacy continues in new variants across Android’s threat landscape.\r\nSources: MITRE ATT\u0026CK, Cyware, WeLiveSecurity, Digital Shadows, CERT-EU\r\nFrom Cerberus to Alien and beyond: how Alien became Cerberus’s successor\r\nAlien and Hook are direct successors of the Cerberus banking trojan, with the Cerberus Android banking trojan\r\nserving as the foundation for these new threats. The Cerberus Android banking trojan was widely used in\r\nmalicious campaigns, and after its source code leak, it led to the emergence of new banking trojans like Alien and\r\nHook.\r\nhttps://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/\r\nPage 6 of 9\n\nFeature Cerberus Alien Hook\r\nRemote Access (RAT) Yes Yes Yes (enhanced)\r\nKeylogging Yes Yes Yes\r\nOverlay Attacks Yes Yes (226 apps) Yes\r\nGoogle Authenticator Theft Yes Yes Yes\r\nTeamViewer Injection Yes Yes No\r\n2FA Bypass Yes (SMS \u0026 OTP) Yes (OTP) Yes (OTP interception)\r\nPlay Protect Evasion Yes (via staged payloads) Yes Yes (root detection bypass)\r\nApp List \u0026 File Access Yes Yes Yes\r\nDistribution Method MaaS / Google Play Dark Web Forums Telegram \u0026 Dark Web\r\nActive Development No (source leaked) No (Cerberus fork) Yes\r\nWhat Cerberus means for IT teams in 2025\r\nThe Cerberus RAT may have faded from the malware spotlight, but its tactics are far from gone. In fact, they’ve\r\nbecome the foundation for today’s most dangerous Android malware variants.\r\nModern threats targeting mobile devices now build upon the core techniques pioneered by Cerberus—making it a\r\nblueprint for a new era of Android banking trojans and Remote Access Trojans (RATs). For IT and security teams,\r\nthis means that mobile devices remain one of the most exploitable endpoints in the enterprise attack surface.\r\nCerberus-based malware continues to enable financial fraud and increases the risk of data breach for organizations\r\nand individuals, leading to significant financial and reputational consequences.\r\nCurrent threat trends influenced by Cerberus:\r\nModular Android RAT kits that let attackers customize payloads on demand\r\nBanking trojan-as-a-service (BTaaS) business models on the dark web\r\nAbuse of mobile accessibility services for screen hijacking and data theft\r\nRemote control malware capable of defeating MFA and security apps\r\nBypassing traditional endpoint protection tools, even on updated devices\r\nDespite its original source code leak in 2020, Cerberus remains relevant—especially as threat actors continue to\r\nfork and evolve its features under new names like Alien, Hook, and Octo. For IT teams, understanding Cerberus is\r\ncrucial to anticipating what’s next.\r\nHow to detect, prevent and respond to Cerberus-class threats\r\nhttps://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/\r\nPage 7 of 9\n\nCerberus and its successors exploit weaknesses in mobile device security—especially when those devices operate\r\noutside of MDM or corporate control. The good news? There are concrete, proactive steps IT teams can take to\r\nstay ahead. While antivirus software and security researchers play a crucial role in identifying and mitigating\r\nthreats, human error remains a significant factor in successful malware infections.\r\nMobile security best practices:\r\n1. Conduct regular mobile risk assessments: Identify unprotected devices, outdated software, and high-risk\r\nuser behaviors.\r\n2. Audit Accessibility Service permissions: Cerberus-class malware often abuses accessibility features—\r\nreview and restrict them.\r\n3. Restrict sideloaded APKs: Disable sideloading or enforce MDM policies to limit unverified app installs.\r\n4. Deploy Mobile Threat Defense (MTD) tools: MTD platforms offer behavioral monitoring, anomaly\r\ndetection, and zero-day threat prevention.\r\n5. Patch operating systems and apps: Keep Android OS and key applications up to date to close known\r\nsecurity gaps.\r\n6. Enable Google Play Protect (but don’t rely on it alone): It's a good baseline, but attackers have found ways\r\nto bypass it.\r\n7. Train users to recognize fake apps and phishing tactics: Awareness is your first line of defense—users must\r\nunderstand the risks of granting excessive permissions.\r\nFAQs: Cerberus malware \u0026 mobile threats in 2025\r\nWhat is Cerberus RAT?\r\nCerberus is an advanced Android banking trojan with Remote Access Trojan (RAT) capabilities. It steals banking\r\ncredentials using overlay attacks, keylogging, and by abusing Android Accessibility Services to take full control of\r\ninfected devices.\r\nHow did Cerberus spread?\r\nOriginally offered as malware-as-a-service (MaaS), Cerberus was distributed through phishing campaigns and\r\nmalicious apps, including at least one case on the official Google Play Store disguised as a currency calculator.\r\nIs Cerberus still active in 2025?\r\nThe original Cerberus malware is no longer active, but its leaked source code led to the rise of new variants like\r\nAlien, Hook, Octo, and others. These threats still use Cerberus-inspired techniques to target Android devices.\r\nWhat makes Cerberus dangerous?\r\nCerberus could remotely control infected phones, log keystrokes, steal SMS and 2FA codes, and even hijack\r\nGoogle Authenticator—all while remaining hidden from users and antivirus tools.\r\nHow can I protect my device from Cerberus-like malware?\r\nhttps://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/\r\nPage 8 of 9\n\nAvoid sideloading apps, restrict Accessibility permissions, use a mobile threat defense (MTD) solution, and stay\r\nup to date with OS and app security patches. IT teams should also educate users about mobile phishing and fake\r\napps.\r\nConclusion: Cerberus may be gone, but its legacy lives on\r\nCerberus was a wake-up call for Android security—a trojan that combined traditional RAT techniques with\r\nmodern mobile attack vectors. But its biggest impact came after its fall.\r\nBy leaking its source code, Cerberus didn’t just disappear—it multiplied. It enabled a wave of new Android\r\nmalware strains that still haunt the mobile landscape in 2025, from Alien to Hook and beyond. These threats are\r\nfaster, stealthier, and more customizable than ever.\r\nFor IT teams and CISOs, this is a call to action:\r\nCerberus-class threats are no longer rare—they’re the standard. Defending against them requires a layered\r\napproach that includes user training, proactive mobile threat monitoring, and security policies that adapt as fast as\r\nthe malware does.\r\nBecause the next RAT won’t knock—it will sneak in quietly, just like Cerberus did.\r\nSource: https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/\r\nhttps://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/"
	],
	"report_names": [
		"cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot"
	],
	"threat_actors": [],
	"ts_created_at": 1775434189,
	"ts_updated_at": 1775791219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2473507e29c3bf9efbbbf099744e93e8bb212974.pdf",
		"text": "https://archive.orkl.eu/2473507e29c3bf9efbbbf099744e93e8bb212974.txt",
		"img": "https://archive.orkl.eu/2473507e29c3bf9efbbbf099744e93e8bb212974.jpg"
	}
}