{
	"id": "d371f213-92e1-4212-ab89-30be7dd700a2",
	"created_at": "2026-04-06T00:07:53.506797Z",
	"updated_at": "2026-04-10T03:24:30.008657Z",
	"deleted_at": null,
	"sha1_hash": "29cb4bbcddbb1b47c136f2d641d6fb0a93161aaa",
	"title": "Cerberus - A new banking Trojan from the underworld",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 447716,
	"plain_text": "Cerberus - A new banking Trojan from the underworld\r\nPublished: 2024-10-01 · Archived: 2026-04-05 13:47:35 UTC\r\nIntro\r\nIn June 2019, ThreatFabric analysts found a new Android malware, dubbed “Cerberus”, being rented out on underground\r\nforums. Its authors claim that it was used for private operations for two years preceding the start of the rental. They also\r\nstate that the code is written from scratch and is not using parts of other existing banking Trojans unlike many other Trojans\r\nthat are either based completely on the source of another Trojan (such as the leaked Anubis source code that is now being\r\nresold) or at least borrow parts of other Trojans. After thorough analysis we can confirm that Cerberus was indeed not based\r\non the Anubis source code.\r\nOne peculiar thing about the actor group behind this banking malware is that they have an “official” twitter account that\r\nthey use to post promotional content (even videos) about the malware. Oddly enough they also use it to make fun of the AV\r\ncommunity, sharing detection screenshots from VirusTotal (thus leaking IoC) and even engaging in discussions with\r\nmalware researchers directly.\r\nThe following screenshot shows tweets from their advertisement campaign:\r\nhttps://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html\r\nPage 1 of 11\n\nThat unusual behavior could be explained by the combination of the need for attention and a probable lack of experience.\r\nWhat is sure is that the gap in the Android banking malware rental business left open after the rental of the Anubis 2 and\r\nRedAlert 2 Trojans ended provides a good opportunity for the actors behind Cerberus to grow their business quickly.\r\nThe Android banking Trojan rental business\r\nRental of banking Trojans is not new. It was an existing business model when computer-based banking malware was the\r\nonly form of banking malware and has shifted to the Android equivalent a few years later.\r\nThe life span of Android banking malware is limited to either the will of its author(s) to support it or the arrest of those\r\nactors. This malware-life-cycle has been observed to reoccur every few years, bringing new malware families into light.\r\nEach time a rented malware reaches the end of its life it provides the opportunity for other actors a to take over the malware\r\nrental market-share.\r\nAs visible on following chart, the lifespan of many well-known rented Android bankers is usually no more than one or two\r\nyears. When the family ceases to exist a new one is already available to fill the void, proving that the demand for such\r\nmalware is always present and that therefore Cerberus has a good chance to survive.\r\nhttps://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html\r\nPage 2 of 11\n\nAfter the actor behind RedAlert 2 decided to quit the rental business, we observed a surge in Anubis samples in the wild.\r\nAfter the Anubis actor was allegedly arrested and the source code was leaked there was also huge increase in the number of\r\nAnubis samples found in the wild, but the new actors using Anubis have no support or updates.\r\nDue to this Cerberus will come in handy for actors that want to focus on performing fraud without having to develop and\r\nmaintain a botnet and C2 infrastructure.\r\nAnalysis of evasion techniques\r\nAlong with the standard payload and string obfuscation, Cerberus uses a rather interesting technique to prevent analysis of\r\nthe Trojan.\r\nUsing the device accelerometer sensor it implements a simple pedometer that is used to measure movements of the victim.\r\nThe idea is simple - if the infected device belongs to a real person, sooner or later this person will move around, increasing\r\nthe step counter. The Trojan uses this counter to activate the bot - if aforementioned step counter hits the pre-configured\r\nthreshold it considers running on the device to be safe. This simple measure prevents the Trojan from running and being\r\nanalyzed in dynamic analysis environments (sandboxes) and on the test devices of malware analysts.\r\nThe code responsible for this verification is shown in the following snippet:\r\n...this.sensorService.registerListener(this, this.accelerometer, 3);\r\nSensor localSensor = sensorEvent.sensor;\r\nthis.sensorService.registerListener(this, localSensor, 3);\r\nif (localSensor.getType() == 1) {\r\n float\\[\\] values = sensorEvent.values;\r\n float Gx = values\\[0\\];\r\n float Gy = values\\[1\\];\r\n float Gz = values\\[2\\];\r\nhttps://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html\r\nPage 3 of 11\n\nlong timestamp = System.curTimeMillis();\r\n if (timestamp - this.previousTimestamp \u003e 100 L) {\r\n long interval = timestamp - this.previousTimestamp;\r\n this.previousTimestamp = timestamp;\r\n if (Math.abs(Gx + Gy + Gz - this.curGx - this.curGy - this.curGz) / (((float) interval)) * 10000 f \u003e 600 f) {\r\n this.increaseStepCount();\r\n }\r\n this.curGx = Gx;\r\n this.curGy = Gy;\r\n this.curGz = Gz;\r\n }\r\n}...\r\nif (Integer.parseInt(this.utils.readConfigString(arg7, this.constants.step)) \u003c this.constants.limit) {\r\n goto skip;\r\n}\r\nHow it works\r\nWhen the malware is first started on the device it will begin by hiding its icon from the application drawer. Then it will ask\r\nfor the accessibility service privilege as visible in the following screenshot:\r\nhttps://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html\r\nPage 4 of 11\n\nhttps://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html\r\nPage 5 of 11\n\nAfter the user grants the requested privilege, Cerberus starts to abuse it by granting itself additional permissions, such as\r\npermissions needed to send messages and make calls, without requiring any user interaction. It also disables Play Protect\r\n(Google’s preinstalled antivirus solution) to prevent its discovery and deletion in the future. After conveniently granting\r\nitself additional privileges and securing its persistence on the device, Cerberus registers the infected device in the botnet\r\nand waits for commands from the C2 server while also being ready to perform overlay attacks.\r\nThe commands supported by the analyzed version of the Cerberus bot are listed below. As can be seen, the possibilities\r\noffered by the bot are pretty common.\r\nCommand Description\r\npush Shows a push notification. Clicking on thenotification will result in launching a specified app\r\nstartApp Starts the specified application\r\ngetInstallApps Gets the list of installedapplications on the infected device\r\ngetContacts Gets the contact names and phone numbers from the addressbook on the infected device\r\ndeleteApplication Triggers the deletion of the specified application\r\nforwardCall Enables call forwarding to the specified number\r\nsendSms Sends a text message with specified text from the infecteddevice to the specified phone number\r\nstartInject Triggers the overlay attack against the specified application\r\nstartUssd Calls the specified USSD code\r\nopenUrl Opens the specified URL in the WebView\r\ngetSMS Gets all text messages from the infected device\r\nkillMe Triggers the kill switch for the bot\r\nupdateModule Updates the payload module\r\nCerberus features\r\nCerberus malware has the same capabilities as most other Android banking Trojans such as the use of overlay attacks, SMS\r\ncontrol and contact list harvesting. The Trojan can also leverage keylogging to broaden the attack scope. Overall, Cerberus\r\nhas a pretty common feature list and although the malware seems to have been written from scratch there does not seem to\r\nhttps://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html\r\nPage 6 of 11\n\nbe any innovative functionality at this time. For example, some of the more advanced banking Trojans now offer features\r\nsuch as a back-connect proxy, screen-streaming and even remote control.\r\nCerberus embeds the following set of features that allows itself to remain under the radar and successfully perform attacks:\r\nOverlaying: Dynamic (Local injects obtained from C2)\r\nKeylogging\r\nSMS harvesting: SMS listing\r\nSMS harvesting: SMS forwarding\r\nDevice info collection\r\nContact list collection\r\nApplication listing\r\nLocation collection\r\nOverlaying: Targets list update\r\nSMS: Sending\r\nCalls: USSD request making\r\nCalls: Call forwarding\r\nRemote actions: App installing\r\nRemote actions: App starting\r\nRemote actions: App removal\r\nRemote actions: Showing arbitrary web pages\r\nRemote actions: Screen-locking\r\nNotifications: Push notifications\r\nC2 Resilience: Auxiliary C2 list\r\nSelf-protection: Hiding the App icon\r\nSelf-protection: Preventing removal\r\nSelf-protection: Emulation-detection\r\nArchitecture: Modular\r\nOverlay attack\r\nMost Android banking Trojans use overlay attacks to trick the victim into providing their personal information (such as but\r\nnot limited to: credit card information, banking credentials, mail credentials) and Cerberus is no exception. In this particular\r\ncase, the bot abuses the accessibility service privilege to obtain the package name of the foreground application and\r\ndetermine whether or not to show a phishing overlay window, as shown in the following code snippet:\r\nthis.foregroundAppPackage = accesibilityEvent.getPackageName().toString();...String target = this.strings.empty;\r\nif (this.strings.CC_apps.contains(this.foregroundAppPackage)) {\r\n target = this.strings.grabbCC;\r\n} else if (this.strings.MAIL_apps.contains(this.foregroundAppPackage)) {\r\n target = this.strings.grabMails;\r\n}\r\ntry {\r\n Utils utils = this.utils;\r\n String v1_10 = target.isEmpty() ? this.foregroundAppPackage : target;\r\n if (utils.readConfigString(this, v1_10).length() \u003e 10) {\r\n JSONObject config = new JSONObject();\r\n config.put(this.strings.params, this.strings.startViewInject);\r\nhttps://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html\r\nPage 7 of 11\n\nconfig.put(this.strings.packageAppStart, this.foregroundAppPackage);\r\n config.put(this.strings.nameInject, target);\r\n config.put(this.strings.packageProject, this.getPackageName());\r\n config.put(this.strings.packageView, InjectActivity.class.getCanonicalName(););\r\n Utils utils1 = this.utils;\r\n utils1.callModule(this, config.toString());\r\n }\r\n} catch (Exception e) {\r\n ...\r\n}\r\nTargets\r\nSome examples of phishing overlays are shown below. They exist in two types: the credentials stealers (first 2 screenshots)\r\nand the credit card grabbers (last screenshot).\r\n \r\nThe only active target list observed in the wild is available in the appendix and contains a total of 30 unique targets.\r\nIt is interesting to observe that the actual target list contains:\r\n7 French banking apps\r\n7 U.S. banking apps\r\n1 Japanese banking app\r\n15 non-banking apps\r\nThis uncommon target list might either be the result of specific customer demand, or due to some actors having partially\r\nreused an existing target list.\r\nConclusion\r\nAlthough not yet mature enough to provide the equivalent of a full-blown set of Android banking malware features (such as\r\nRAT, RAT with ATS (Automated Transaction Script), back-connect proxy, media streaming), or providing an exhaustive\r\nhttps://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html\r\nPage 8 of 11\n\ntarget list, Cerberus should not be taken lightly.\r\nDue to the current absence of maintained and supported Android banking Malware-as-a-Service in the underground\r\ncommunity, there is a certainly demand for a new service. Cerberus is already capable to fulfill this demand. In addition to\r\nthe feature base it already possesses and the money that can be made from the rental, it could evolve to compete with the\r\nmightiest Android banking Trojans. Next to the features, we expect the target list to be expanded to contain additional\r\n(banking) apps in the near future.\r\nKnowledge of the threat landscape and implementation of the right detection tools remains crucial to be able to protect\r\nyourself from fraud; Cerberus is yet a new Trojan active in the wild!\r\nMobile Threat Intelligence\r\nOur threat intelligence solution – MTI, provides the context and in-depth knowledge of the past and present malware-powered threats in order to understand the future of the threat landscape. Such intelligence, includes both the strategic\r\noverview on trends and the operational indicators to discern early signals of upcoming threats and build a future-proof\r\nsecurity strategy.\r\nClient Side Detection\r\nOur online fraud detection solution – CSD, presents financial institutions with the real-time overview on the risk status of\r\ntheir online channels and related devices. This overview provides all the relevant information and context to act upon\r\nthreats before they turn into fraud. The connectivity with existing risk or fraud engines allows for automated and\r\norchestrated, round the clock fraud mitigation.\r\nAppendix\r\nSamples\r\nSome of the latest Cerberus samples found in the wild:\r\nApp\r\nname\r\nPackage name SHA 256 hash\r\nFlash\r\nPlayer\r\ncom.uxlgtsvfdc.zipvwntdy 728a6ea44aab94a2d0ebbccbf0c1b4a93fbd9efa8813c19a88d368d6a46b4f4f\r\nFlash\r\nPlayer\r\ncom.ognbsfhszj.hqpquokjdp fe28aba6a942b6713d7142117afdf70f5e731c56eff8956ecdb40cdc28c7c329\r\nFlash\r\nPlayer\r\ncom.mwmnfwt.arhkrgajn ffa5ac3460998e7b9856fc136ebcd112196c3abf24816ccab1fbae11eae4954c\r\nFlash\r\nPlayer\r\ncom.wogdjywtwq.oiofvpzpxyo 6ac7e7ed83b4b57cc4d28f14308d69d062d29a544bbde0856d5697b0fc50cde4\r\nFlash\r\nPlayer\r\ncom.hvdnaiujzwo.fovzeukzywfr cfd77ddc5c1ebb8498c899a68ea75d2616c1c92a0e618113d7c9e5fcc650094b\r\nhttps://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html\r\nPage 9 of 11\n\nApp\r\nname\r\nPackage name SHA 256 hash\r\nFlash\r\nPlayer\r\ncom.gzhlubw.pmevdiexmn 3f2ed928789c200e21fd0c2095619a346f75d84f76f1e54a8b3153385850ea63\r\nTarget list\r\nThe actual observed list of mobile apps targeted by Cerberus contains a total of 30 unique applications. This list is expected\r\nto expand:\r\nPackage name Application name\r\ncom.android.vending Play Market\r\ncom.boursorama.android.clients Boursorama Banque\r\ncom.caisseepargne.android.mobilebanking Banque\r\ncom.chase.sig.android Chase Mobile\r\ncom.clairmail.fth Fifth Third Mobile Banking\r\ncom.connectivityapps.hotmail Connect for Hotmail\r\ncom.google.android.gm Gmail\r\ncom.imo.android.imoim imo free video calls and chat\r\ncom.infonow.bofa Bank of America Mobile Banking\r\ncom.IngDirectAndroid ING\r\ncom.instagram.android Instagram\r\ncom.konylabs.capitalone Capital One® Mobile\r\ncom.mail.mobile.android.mail mail.com mail\r\ncom.microsoft.office.outlook Microsoft Outlook\r\ncom.snapchat.android Snapchat\r\ncom.tencent.mm WeChat\r\ncom.twitter.android Twitter\r\ncom.ubercab Uber\r\ncom.usaa.mobile.android.usaa USAA Mobile\r\ncom.usbank.mobilebanking U.S. Bank - Inspired by customers\r\ncom.viber.voip Viber\r\nhttps://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html\r\nPage 10 of 11\n\nPackage name Application name\r\ncom.wf.wellsfargomobile Wells Fargo Mobile\r\ncom.whatsapp WhatsApp\r\ncom.yahoo.mobile.client.android.mail Yahoo Mail – Organized Email\r\nfr.banquepopulaire.cyberplus Banque Populaire\r\nfr.creditagricole.androidapp Ma Banque\r\njp.co.rakuten_bank.rakutenbank 楽天銀行 -個人のお客様向けアプリ\r\nmobi.societegenerale.mobile.lappli L’Appli Société Générale\r\nnet.bnpparibas.mescomptes Mes Comptes BNP Paribas\r\norg.telegram.messenger Telegram\r\nSource: https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html\r\nhttps://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
	],
	"report_names": [
		"cerberus-a-new-banking-trojan-from-the-underworld.html"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434073,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/29cb4bbcddbb1b47c136f2d641d6fb0a93161aaa.pdf",
		"text": "https://archive.orkl.eu/29cb4bbcddbb1b47c136f2d641d6fb0a93161aaa.txt",
		"img": "https://archive.orkl.eu/29cb4bbcddbb1b47c136f2d641d6fb0a93161aaa.jpg"
	}
}