{
	"id": "bcc9068f-bca8-461b-9294-adcc1bcff341",
	"created_at": "2026-04-06T00:18:47.810583Z",
	"updated_at": "2026-04-10T13:12:18.556626Z",
	"deleted_at": null,
	"sha1_hash": "8f095f8aa4cf170c88e4d4949bfec981b76d4ce1",
	"title": "Cerberus Enters the Android Malware Rental Scene",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 176289,
	"plain_text": "Cerberus Enters the Android Malware Rental Scene\r\nBy Tara Seals\r\nPublished: 2019-08-13 · Archived: 2026-04-05 15:56:21 UTC\r\nThe mobile banking trojan has a few unusual features and bears watching, researchers said.\r\nA never-before-seen Android banking trojan, dubbed Cerberus, is being rented out on underground forums by a\r\nthreat group that likes to engage with the defense community publicly via Twitter.\r\nAccording to a Tuesday posting from ThreatFabric, Cerberus isn’t based on the leaked Anubis source code that\r\nunderpins many new trojans on the market. Its authors claim that it’s completely bespoke, with no code re-use,\r\nand it comes with infrastructure support. That offers an important differentiator, according to the researchers,\r\ngiven that the Android banking trojan market is in a transition phase.\r\n“After the actor behind [the previously dominant] RedAlert 2 [trojan] decided to quit the rental business, we\r\nobserved a surge in Anubis samples in the wild. After the Anubis actor was allegedly arrested and the source code\r\nwas leaked there was also huge increase in the number of Anubis samples found in the wild, but the new actors\r\nusing Anubis have no support or updates. Due to this, Cerberus will come in handy for actors that want to focus on\r\nperforming fraud without having to develop and maintain a botnet and command-and-control (C2) infrastructure.”\r\nCerberus sets itself apart in a couple of ways. For one, it uses an interesting method to determine that it’s not\r\nrunning in a sandbox environment: It uses the device’s accelerometer sensor to measure movements of the victim\r\nwith a pedometer function; researchers said that it uses the step-counter to activate the bot once it hits a\r\npreconfigured threshold.\r\nIt also has an unusually small list of mobile apps for which it’s set up to do overlay attacks. It obtains the package\r\nname of the foreground application and determines whether or not to show a phishing overlay window to harvest\r\ncredit-card information, banking credentials, email credentials and so on. So far, it only works with seven French\r\nbanking apps and seven U.S. banking apps; one Japanese banking app; and 15 non-banking apps, according to the\r\nanalysis.\r\n“This uncommon target list might either be the result of specific customer demand, or due to some actors having\r\npartially reused an existing target list,” the researchers said.\r\nhttps://threatpost.com/cerberus-android-malware-rental/147280/\r\nPage 1 of 3\n\nThe other unusual thing about Cerberus is the behavior of its authors.\r\n“One peculiar thing about the actor group behind this banking malware is that they have an ‘official’ Twitter\r\naccount that they use to post promotional content (even videos) about the malware,” ThreatFabric researchers\r\nwrote. “Oddly enough, they also use it to make fun of the AV community, sharing detection screenshots from\r\nVirusTotal (thus leaking IoC) and even engaging in discussions with malware researchers directly.”\r\nOtherwise, the trojan has standard features, the researchers noted, such as SMS control, contact-list harvesting and\r\nkeylogging to broaden the attack scope; it lacks advanced features such as a back-connect proxy, media streaming\r\nand remote access control.\r\nIt sets itself up by requesting accessibility permission.\r\n“After the user grants the requested privilege, Cerberus starts to abuse it by granting itself additional permissions,\r\nsuch as permissions needed to send messages and make calls, without requiring any user interaction,” according to\r\nhttps://threatpost.com/cerberus-android-malware-rental/147280/\r\nPage 2 of 3\n\nThreatFabric. “It also disables Play Protect (Google’s preinstalled antivirus solution) to prevent its discovery and\r\ndeletion in the future. After conveniently granting itself additional privileges and securing its persistence on the\r\ndevice, Cerberus registers the infected device in the botnet and waits for commands from the C2 server while also\r\nbeing ready to perform overlay attacks.”\r\nThe malware-as-a-service market is ripe for Cerberus, the researchers wrote.\r\n“The lifespan of many well-known rented Android bankers is usually no more than one or two years,” they said.\r\n“When the family ceases to exist a new one is already available to fill the void, proving that the demand for such\r\nmalware is always present and that therefore Cerberus has a good chance to survive.”\r\nWhile it’s still immature, Cerberus “should not be taken lightly,” the researchers said.\r\n“In addition to the feature base it already possesses and the money that can be made from the rental, it could\r\nevolve to compete with the mightiest Android banking trojans,” according to the analysis. “Next to the features,\r\nwe expect the target list to be expanded to contain additional (banking) apps in the near future.”\r\nBlack Hat USA and DEF CON 2019 just wrapped up in Las Vegas. For all of Threatpost’s stories, podcasts and\r\nvideos from Black Hat and DEF CON, click here.\r\nSource: https://threatpost.com/cerberus-android-malware-rental/147280/\r\nhttps://threatpost.com/cerberus-android-malware-rental/147280/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/cerberus-android-malware-rental/147280/"
	],
	"report_names": [
		"147280"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434727,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8f095f8aa4cf170c88e4d4949bfec981b76d4ce1.pdf",
		"text": "https://archive.orkl.eu/8f095f8aa4cf170c88e4d4949bfec981b76d4ce1.txt",
		"img": "https://archive.orkl.eu/8f095f8aa4cf170c88e4d4949bfec981b76d4ce1.jpg"
	}
}