{
	"id": "8e1e8efa-81be-4144-bbdb-5f340802c926",
	"created_at": "2026-04-10T03:22:09.008437Z",
	"updated_at": "2026-04-10T03:22:16.550845Z",
	"deleted_at": null,
	"sha1_hash": "5058d6b35af3c043cc9172ec4abfb53cd74f9121",
	"title": "Cerberus Analysis - Android Banking Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6786788,
	"plain_text": "Cerberus Analysis - Android Banking Trojan\r\nBy lumos\r\nPublished: 2021-06-16 · Archived: 2026-04-10 02:31:46 UTC\r\nCerberus is an Android malware that emerged in 2019 but was allegedly used for special operations until two\r\nyears ago. It has been determined by the analysts that it was not built on a banking trojan and the Anubis malware\r\nwhose source code had leaked, or many similar trojans, but was written completely from scratch.\r\nStatic Analysis\r\nMD5: 872ebba0dfe0a28da3e91b0ee4d6df32\r\nSHA1: 6a87c50179b08740bcab9da69a869d7c881f40c4\r\nSHA-256: 9832b1ade1907849fd7091e85f2c24bd8a4488ecd96f0638fc979d8858b25196\r\nC\u0026C URL: http://botduke1.ug\r\nThe AndroidManifest.xml file shows that the application uses many permissions that can be used maliciously. In\r\naddition, the class name that is not in the code shows that the application loads some classes at run-time, and the\r\nclasses that are not in the manifest file are put in order to complicate the code analysis.\r\nhttps://nur.pub/cerberus-analysis\r\nPage 1 of 13\n\nWhen we hook the application, we see that the malware creates the Ab.json file and DexClassLoader is detected in\r\nthis file. In this way, the actual dex file (Ab.json) is loaded at run-time.\r\nAfter the application runs on the device, the files and directories under its own directory are listed as follows.\r\nhttps://nur.pub/cerberus-analysis\r\nPage 2 of 13\n\nWhen file.delete (Java level) and unlink syscall (System level) functions are hooked, it is seen that ring0.xml.bak,\r\nring0.xml, Ab.json and Ab.dex files are tried to be deleted from the system.\r\nAfter pulling the Ab.json file from the device, we can see the qhsewqxnjwezdfj.mysoclyistirmcm.wkzf class in\r\nAndroidManifest.xml. You can use eybisi’s jadx fork to hide enum classes and for extra features.\r\nThe RC4 algorithm is frequently used in malware. When we search for the “^” character in both the apk file and\r\nthe Ab.json loaded at run-time, we can find the f class that encrypts with RC4.\r\nhttps://nur.pub/cerberus-analysis\r\nPage 3 of 13\n\nThe use of the decryption function used in the application is as follows.\r\nDecryption\r\nThis method converts hex string to byte. The output is seen in the figure below:\r\nThe output of the previous function (h) is passed to the RC4 cipher. It also decrypts using a hard-coded key. The e\r\nstring in the c class is used as the RC4 decryption key.\r\nhttps://nur.pub/cerberus-analysis\r\nPage 4 of 13\n\nWhen the strings in the c class are decrypted with Base64+RC4, the strings used by the malware are accessed. You\r\ncan use this script for decryption https://gist.github.com/nurpabuccu/ac3fe35720d13890c0cc5317acf12a82\r\nThe decrypted strings contain the application name, permissions, Telegram channel, parameters sent in the\r\nnetwork traffic, the RC4 key used to analyze the network traffic, and the nick of the malware author “ring0”,\r\nhttps://nur.pub/cerberus-analysis\r\nPage 5 of 13\n\nwhich is one of the important data about the malware.\r\nSome these strings are also available in the ring0.xml file under the shared_prefs directory of the application on\r\nthe device.\r\nThe malware can get all the contacts from the Android phone book with the CONTENT_URI field.\r\nAfter getting the phone book, the malware can send sms messages.\r\nhttps://nur.pub/cerberus-analysis\r\nPage 6 of 13\n\nMalware can enable call forwarding to the specified number.\r\nThe malware is also configured to run on Xiaomi systems. The code block for checking MIUI.UIversion is as\r\nfollows:\r\nMalware changes its behavior depending on the system language. The system looks at its default language and\r\ndisplays notifications based on that data (from the “string L” seen in class c below).\r\nhttps://nur.pub/cerberus-analysis\r\nPage 7 of 13\n\nAndroid’s battery optimization feature suspends the app to conserve battery, but since it’s a malicious RAT, it\r\nconstantly listens for commands from the attacker. Upon installation, the malware uses the\r\nREQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission to prompt the user to ignore battery\r\noptimization for this app. Ignoring Battery Optimizations prevents the malware from being shut down by the\r\nbattery optimization routine inside the device even when idle.\r\nAlso this method used for blocking attempt to uninstall the app from the device.\r\nIn above, we can see the message for blocking removal of TeamViewer app from the device. Cerberus use\r\nTeamViewe for remote access to victims device.\r\nThere are also some additional features in the malware. Using these commands the device can be turned into a\r\nRAT (Remote Access Trojan).\r\ngrabbing_pass_gmail\r\ngrabbing_lockpattern\r\nhttps://nur.pub/cerberus-analysis\r\nPage 8 of 13\n\nrat_connect\r\nchange_url_connect\r\nrequest_permission\r\nchange_url_recover\r\nrun_admin_device\r\nurl\r\nussd\r\nsms_mailing_phonebook\r\nget_data_logs\r\ngrabbing_google_authenticator2\r\nremove_app\r\nremove_bot\r\nnotification\r\nsend_sms\r\ncall_forward\r\nrun_app\r\npatch_update\r\nDynamic Analysis\r\nThe application is hidden under the name “Vodafone 5G”. When the application is launched, it asks the user to\r\nenable Accessibility Service.\r\nhttps://nur.pub/cerberus-analysis\r\nPage 9 of 13\n\nAfter the user grants the requested permission, the malware abuses it by giving it additional permissions, such as\r\npermissions to send messages, perform some action commands from C\u0026C, and make calls without requiring any\r\nuser interaction. It also disables Google Play Protect to prevent it from being discovered and deleted in the future.\r\nThe malware appropriately grants it additional privileges and secures its persistence on the device. If the user tries\r\nhttps://nur.pub/cerberus-analysis\r\nPage 10 of 13\n\nto uninstall the malicious application or tries to disable the accessibility of the malicious application, it can\r\nprevent the user from uninstalling the software.\r\nTYPE_VIEW_CLICKED (eventType=1)\r\nTYPE_VIEW_FOCUSED (eventType=8)\r\nTYPE_VIEW_TEXT_CHANGED (eventType=16)\r\nTYPE_WINDOW_STATE_CHANGED (eventType=32)\r\nFor constant values of events: https://www.apiref.com/android/android/view/accessibility/AccessibilityEvent.html\r\nAfter the user allows the Accessibility Service, the application icon is deleted from the menu. It then sends a\r\nrequest to the C\u0026C server (http://botduke1.ug).\r\nSince C\u0026C is not active during the analysis process, we cannot see all functions. When we look at the Cerberus\r\nanalysis reports/blogs, we can see that the parameters listed below are used:\r\nd_attacker_two\r\nd_attacker\r\nis_attacker\r\ninfo_device\r\nnew_device\r\nsaved_data_attacker\r\nsaved_data_device\r\npause_attacker\r\nsaved_accessibility_events\r\nhttps://nur.pub/cerberus-analysis\r\nPage 11 of 13\n\nupgrade_patch\r\nconnecting\r\nsaved_all_sms\r\nsaved_contacts\r\nsaved_applications\r\nrat_connect\r\nrat_cmd\r\nIn the first request, the malware is trying to collect some data about the device. Requests sent by the device can be\r\nfound as follows. info_device request contains device data such as Device Battery Level, Device Language. This\r\nrequest keeps the C\u0026C server updated with new information about the device.\r\nIn the data in the resolved HTTP request, many personal and sensitive data on the device are sent to\r\nhttp://botduke1.ug, where the application communicates, by POST method.\r\nFeatures\r\nCerberus has the same capabilities as most other Android banking trojans, such as overlay attacks, SMS checking.\r\nThe Trojan can also take advantage of keystrokes to expand its attack coverage.\r\nOverlaying: Dynamic (Local injects obtained from C2)\r\nKeylogging\r\nSMS listing\r\nSMS forwarding\r\nDevice info collection\r\nContact list collection\r\nApplication listing\r\nLocation collection\r\nSMS Sending\r\nCalls: USSD request making\r\nCalls: Call forwarding\r\nRemote actions: App installing\r\nhttps://nur.pub/cerberus-analysis\r\nPage 12 of 13\n\nRemote actions: App starting\r\nRemote actions: App removal\r\nRemote actions: Showing arbitrary web pages\r\nRemote actions: Screen-locking\r\nNotifications: Push notifications\r\nHiding the App icon\r\nPreventing removal\r\nEmulation-detection\r\nStealing 2FA tokens\r\nOn August 2020, Cerberus group officially announced the project is indeed dead because of Google Play Protects\r\nnew functionality. Forum admin who bought Cerberus, shared the source code publicly.\r\nReferences\r\nhttps://pentest.blog/n-ways-to-unpack-mobile-malware/\r\nhttps://koodous.com/apks\r\nhttps://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html\r\nhttps://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf\r\nhttps://www.avira.com/en/blog/in-depth-analysis-of-a-cerberus-trojan-variant\r\nhttps://securitynews.sonicwall.com/xmlpost/coronavirus-themed-android-rat-on-the-prowl/\r\nSource: https://nur.pub/cerberus-analysis\r\nhttps://nur.pub/cerberus-analysis\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://nur.pub/cerberus-analysis"
	],
	"report_names": [
		"cerberus-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775791329,
	"ts_updated_at": 1775791336,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5058d6b35af3c043cc9172ec4abfb53cd74f9121.pdf",
		"text": "https://archive.orkl.eu/5058d6b35af3c043cc9172ec4abfb53cd74f9121.txt",
		"img": "https://archive.orkl.eu/5058d6b35af3c043cc9172ec4abfb53cd74f9121.jpg"
	}
}