{
	"id": "99e39293-7935-41c2-89c7-ca1ec6384735",
	"created_at": "2026-04-29T08:21:29.712116Z",
	"updated_at": "2026-04-29T10:42:07.323519Z",
	"deleted_at": null,
	"sha1_hash": "b0d878848426bb6a8b3c7ffc019d3d8c71b5705c",
	"title": "Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 886714,
	"plain_text": "Warning As Devious New Android Malware Hides In Fake Adobe\r\nFlash Player Installations (Updated)\r\nBy Zak Doffman\r\nPublished: 2019-08-16 · Archived: 2026-04-29 07:24:38 UTC\r\nGetty\r\nMillions of Android users are being warned about a devious new banking trojan, dubbed Cerberus, that infects\r\ndevices by masquerading as an Adobe Flash Player installation. Once installed, the fake download requests\r\naccessibility permissions that allow an attack to take place. The malware overlays login screens for banking apps,\r\nstealing credentials for its operators. Cerberus also has a crafty evasion technique—using the accelerometer on an\r\ninfected device to ensure the target is real and not a desk-based security analyst.\r\nThe developers behind Cerberus are reportedly renting the trojan out on the dark web and have taken the unusual\r\nstep of advertising their capabilities on Twitter. The threat actors even use their Twitter account to mock the\r\nsecurity community tasked with trying to stop them—and they are so confident, they even tried to sell the bot to a\r\nwell known malware analyst so he could examine their work.\r\nCerberus infects users when they access a fake website which immediately requests a download of Adobe Flash\r\nPlayer. The download is fake, and carries the malware payload.\r\nA video of the infection process can be seen here.\r\nhttps://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/#1563fef26d9c\r\nPage 1 of 3\n\nMORE FOR YOU\r\nAndroid banking trojans are nothing new, and Cerberus is just the latest in a long line of such malware to hit the\r\nheadlines. Even the fact that Cerberus is being \"rented out\" on underground forums is not unique. Malware \"for\r\nhire\" has become a theme.\r\nCerberus has been designed to steal banking credentials. It does this—again not unusually—by creating overlays\r\non top of banking apps that capture usernames and passwords as they are being entered. Such overlays are\r\ndesigned around specific apps, and Cerberus has developed more than 30 of these thus far. Of note, the target\r\nbanks are in the U.S., France and Japan—a fairly specific list of countries.\r\nESET security researcher Lukas Stefanko told me he \"found Cerberus in June, a couple of days after it was\r\npublished on an underground forum.\" Stefanko used Twitter to ask the research community if anyone had come\r\nacross it before, \"and that is when I noticed their twitter handle joined the debate under my tweet.\"\r\n\"Even though they know I am android malware analyst,\" Stefanko told me, \"they tried to sell me their Cerberus\r\nbot. They created a profile where the only thing I needed to do is buy it. However my goal was to obtain working\r\nsample and C\u0026C address to properly analyze it.\" The developers sent Stefanko a sample of Cerberus, but used his\r\nTwitter handle \"instead of a real C\u0026C server,\" and so he was unable to test it.\r\nTwo days later, Stefanko and colleagues \"detected an active campaign using this new banking Trojan with\r\nthousands of website visits that contained the payload. Cerberus was spread via a fake website that asked users to\r\ninstall Adobe Flash Player.\"\r\nLukas Stefanko\r\nStefanko explained to me that the Cerberus developers used \"a web framework where anyone can check website\r\nvisit statistics—because of that I found out which countries are targeted with actual number of site visits.\"\r\nOver a fourteen day period, Stefanko tracked more than 13,000 visits to the fake Cerberus website, most of which\r\nwere from users in the U.S. and Japan.\r\nAt about the same time, Cerberus was seen being rented out in underground forums by the team at ThreatFabric.\r\nThe malware's developers claimed it had been used privately for two years beforehand, and that it was \"written\r\nfrom scratch\" and does not \"borrow\" code from existing malware, making it harder to detect. There is certainly\r\nnone of the leaked Anubis source code within Cerberus.\r\n\"Rental of banking Trojans is not new,\" the researchers explain. \"It was an existing business model when\r\ncomputer-based banking malware was the only form of banking malware and has shifted to the Android\r\nhttps://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/#1563fef26d9c\r\nPage 2 of 3\n\nequivalent a few years later.\"\r\nCerberus often comes as a social media attachment, so the usual caution on thinking before clicking applies. The\r\nmalware uses its Flash Player application to trick user into granting accessibility rights. The malware can then\r\ngrant itself additional rights to control the device, send messages, make calls, communicate back to its handlers. It\r\ncan even disable Google Play Protect to avoid automatic detection.\r\nNone of which its unusual. And so the clever stuff—Cerberus has been designed to avoid detection from desk-based malware analysts by delaying activation until it can confirm the device belongs to a genuine victim. It uses\r\nthe device's accelerometer to measure steps. \"The Trojan uses this counter to activate the bot,\" ThreatFabric\r\nexplains. And when the step counter hits a target, \"it considers running on the device to be safe.\" This counter-measure \"prevents the Trojan from running and being analyzed in dynamic analysis environments (sandboxes) and\r\non test devices.\"\r\nBut the real standout for Cerberus is that its developers have even taken to Twitter to \"post promotional content\r\n(even videos) about the malware\" and to \"make fun of the antivirus community—sharing detection screenshots\r\nfrom VirusTotal (thus leaking IoC) and even engaging in discussions with malware researchers directly.\"\r\nCerberus is not seen as \"moving the needle\" for trojan capabilities, but it's dangerous nonetheless. \"Cerberus\r\nshould not be taken lightly,\" ThreatFabric warns. It can harvest contacts, send messages, steal credentials. And its\r\noverlays are not limited to banking apps—it can attack messaging or other accounts using the same techniques.\r\nThe rental model is interesting—it ensures the malware can evolve and spread quickly, and it increases the likely\r\ndamage during its lifespan. There is also the question of the apps coverage thus far—U.S., France and Japan. If\r\nthose were created to order, then the rental model will quickly add more.\r\nBut the most interesting element to Cerberus is the cat and mouse game playing out in the open as its developers\r\ntaunt the catcher community. And as entertaining as those Twitter exchanges might be, it's important to remember\r\nthere are many thousands of victims of Cerberus whose lives will be badly impacted.\r\nAnd so, as ever, the usual advice applies. Take care what you download and install—avoid gimmicks and\r\nuntrusted sources, use common sense. Our smartphones are the keys to our digital worlds, and malware like\r\nCerberus is designed to steal those keys while avoiding detection in ever more clever ways.\r\nSource: https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them\r\n-on-twitter/#1563fef26d9c\r\nhttps://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/#1563fef26d9c\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/#1563fef26d9c"
	],
	"report_names": [
		"#1563fef26d9c"
	],
	"threat_actors": [],
	"ts_created_at": 1777450889,
	"ts_updated_at": 1777459327,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b0d878848426bb6a8b3c7ffc019d3d8c71b5705c.pdf",
		"text": "https://archive.orkl.eu/b0d878848426bb6a8b3c7ffc019d3d8c71b5705c.txt",
		"img": "https://archive.orkl.eu/b0d878848426bb6a8b3c7ffc019d3d8c71b5705c.jpg"
	}
}