{
	"id": "ff090d63-b851-441a-8c38-2e1315385566",
	"created_at": "2026-04-06T00:10:33.979808Z",
	"updated_at": "2026-04-10T03:30:33.826237Z",
	"deleted_at": null,
	"sha1_hash": "b9777bcb38c43d8db2315bc1498b9f9c06b5dd14",
	"title": "Alien - the story of Cerberus' demise",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 465244,
	"plain_text": "Alien - the story of Cerberus' demise\r\nPublished: 2024-10-01 · Archived: 2026-04-05 12:54:08 UTC\r\nIntro\r\nAs predicted in our blog 2020 – year of the RAT, 2020 has been an effervescent year for financially motivated\r\nthreat actors making use of Android malware. Although the ThreatFabric team discovered several new banking\r\nTrojans, it also observed the death of some others. Threat actors continue to innovate and try out new ways to steal\r\nand monetize personal information. In some cases, actors are successful, with long-running campaigns powered\r\nby their malware, in other cases, they are fruitless, resulting in the downfall of their malware, as quickly as it\r\nappeared. In this blog, we describe a relatively new and barely known Android banking Trojan with Remote\r\nAccess Trojan, notification stealing and authenticator-based 2FA theft capabilities, dubbed Alien, and explain how\r\nit relates to infamous Cerberus malware, who’s service has recently been discontinued.\r\nThe preface, Cerberus\r\nAugust 2020 marked the demise of Cerberus, the most successful Android banking Trojan service, or MaaS\r\n(Malware as a Service), of the last 12 months. Details about the Trojan can be found in our blog about from\r\nAugust last year. Apparently due to issues related to shortcomings of the staff within the threat actor’s technical\r\nteam, architectural and technical issues with the Trojan remained unsolved long enough for Google Play Protect to\r\ndetect all related samples on the spot on all infected devices, of course resulting in unhappy customers.\r\nAt the end of July, because of these issues, the actor behind Cerberus tried to sell the service, including the\r\ncustomer portfolio, in the hopes another actor would continue his work. Our telemetry, as seen in the graph below,\r\nshows a steady decrease of new Cerberus samples starting from this moment.\r\nhttps://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html\r\nPage 1 of 9\n\nAfter a series of customer complaints and due to his fruitless attempts to sell the source code of the Trojan as a\r\nwhole, the owner of the malware finally decided to end the rental service and refund active license holders. On\r\nAugust 10th 2020 he shared the source code of Cerberus with the administrator of the underground forum in\r\nwhich he was renting it out. As we forecasted, shortly after, the source code of the Trojan became available to the\r\ngeneral public.\r\nYou might wonder why the number of samples drops and barely increases again despite the source code being\r\npublicly available. There are two reasons: firstly, actors who got their hands on the code need to understand how\r\nto setup the backend (C2) and builder, secondly the actors which successfully built samples noticed that their\r\npayload is immediately detected by Play Protect when installed on an Android device and therefore are now\r\nprobably working on rearranging the code (resulting in their own code fork). All samples detected since the\r\nofficial Cerberus service interruption are test samples and no large-scale or successful campaign has been\r\nobserved so far. However, since Cerberus was such a successful malware, it is likely that other actors will start\r\nusing it actively once its issues are resolved, therefore we can expect it to resurface at any time.\r\nDespite Cerberus not being actively rented and supported any longer, we still often see some researchers reporting\r\nactive Cerberus campaigns. To explain why this happens we decided to write this blog and clear up any confusion:\r\ncurrently reported campaigns can be attributed to a fork of Cerberus, called “Alien”.\r\nBehind the scenes\r\nOur story starts on January 2020, when our analyst team first spotted something which at first glance could have\r\nbeen considered a new version of Cerberus. In those newly found samples the authors revisited the C2\r\ncommunication protocol, added some new string protection techniques, renamed the side-loaded module filename\r\nto bare his nickname and added the TeamViewer based RAT function.\r\nDespite some minor refactoring, the architecture of the Trojan stayed the same. At the same time, the Cerberus\r\nteam was making announcements about a soon-to-be-published second version of the Trojan in their commercial\r\ntopic in an underground forum. Therefore, we initially assumed that the samples discovered are in fact the first/test\r\nversions of that advertised new version of the Trojan and classified them as such. That held until 5 days later.\r\nEnter the ring\r\nOn January 18th, we discovered an interesting new post from another actor in an underground forum. This actor,\r\nwhose name matches the newly introduced module name for the malware in question, started to advertise his own\r\nprivate malware with VNC feature.\r\nhttps://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html\r\nPage 2 of 9\n\nFor the sake of clarity: Although VNC (Virtual Network Computing) is a specific graphical desktop-sharing\r\nsystem, threat actors often label all Trojans with remote access capabilities (RAT) as embedding VNC, regardless\r\nof the technology being used.\r\nThis discovery also matched the fact that the newly found samples included the RAT feature, making use of\r\nTeamViewer to provide remote access to the infected device.\r\nThe highly relatable codebase, showing the strong links between this new Trojan and Cerberus was conflicting\r\nwith the fact that this Trojan was clearly operated by a separate group, therefore we decide to investigate the\r\nsituation further. Luckily, it was only a matter of weeks before we could confirm what was going on.\r\nMeet the Duke\r\nIn February, it became apparent that the new malware was operated separately and slightly differently than\r\nCerberus. We started to see simultaneous campaigns using both Trojans. Additionally, the malware described by\r\nits apparent author was enriched by a 2FA stealing technique that was capable of stealing secret tokens from\r\nGoogle’s Authenticator application, while Cerberus didn’t have such a feature.\r\nMid-February, the actor who later proclaimed himself author of the BlackRock malware left a review on the\r\nprofile of the apparent author, reviewing his malware-rental service:\r\nhttps://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html\r\nPage 3 of 9\n\nOn February 20th 2020, the Cerberus actors made a promotional post in their commercial topic that referenced\r\nresearchers, sharing the samples of what they thought was the Cerberus malware. Somewhat later, the BlackRock\r\nactor replied to the post, condemning the Cerberus actors for taking credit for another malware project, stating that\r\nit was a different malware that he uses himself:\r\nThoughtfully, he included some screenshots with proof:\r\nhttps://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html\r\nPage 4 of 9\n\nThe tweet made by @pr3wtd that sparked that truly insightful conversation, clearly links provided IOCs with the\r\nsample of the malware that the BlackRock author was testing at the time, the Trojan advertised by the actor we\r\nalready envisaged being author.\r\nhttps://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html\r\nPage 5 of 9\n\nThat sample indeed belongs to the same malware strain that we discovered earlier January.\r\nThe revelation\r\nAfter we established a solid link between the actor running the private rental service and the samples, the only\r\naspect we were missing was the name of the Trojan. Fortunately for us, after a while topics showing interest in a\r\ncertain “Alien” malware started to appear in the underground forum and the author himself confirmed his\r\naffiliation to, and the name of, the Trojan:\r\nhttps://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html\r\nPage 6 of 9\n\nBased on our in-depth knowledge of the Trojan (available in our Mobile Threat Intelligence portal), we can prove\r\nthat the Alien malware is a fork of the initial variant of Cerberus (v1), active since early January 2020 and rented\r\nout at the same time as Cerberus. Cerberus being discontinued, its customers seem to be switching to Alien, which\r\nhas become the prominent new MaaS for fraudsters.\r\nLooking at what we know now about what happened with Cerberus and Alien, we could speculate that Cerberus\r\nwas on the decline as the developers behind the Trojan shifted away from the project with the original source in\r\norder to start their own. Interestingly enough, this speculation is corroborated by the fact that when the second\r\nversion of Cerberus (v2) was released in May 2020, it did not introduce any major new features, except for the one\r\nto steal 2FA codes from Google’s authenticator app. The code of that feature code is almost identical to that\r\nintroduced with the Alien Trojan in February 2020. This indicates that at that time, the developer behind the\r\nCerberus Trojan had access to, and might have been responsible for development of the Alien code.\r\nThe code of the Google Authenticator 2FA stealer of the Alien Trojan is visible in following snippet:\r\npublic final void sniffAuthenticator(AccessibilityService serv, AccessibilityEvent event, String currPackage) {\r\n try {\r\n if (Build.VERSION.SDK_INT \u003e= 18 \u0026\u0026 (currPackage.contains(\"com.google.android.apps.authenticator2\"))) {\r\n A11yUtils.utils.log(\"run\", t \"com.google.android.apps.authenticator2\");\r\n if (event.getSource() == null) {\r\n return;\r\n }\r\n String athenticatorContent = \"\";\r\n Iterator nodes = A11yUtils.getByMask(event.getSource(), \"android.view.ViewGroup\").iterator();\r\n int idx = 0;\r\n while (nodes.hasNext()) {\r\n Object currObj = nodes.next();\r\n AccessibilityNodeInfo currNode = (AccessibilityNodeInfo) currObj;\r\n String local = athenticatorContent;\r\n int idxCh;\r\n for (idxCh = 0; idxCh \u003c currNode.getChildCount(); ++idxCh) {\r\n AccessibilityNodeInfo child = currNode.getChild(idxCh);\r\n if (child.getText() != null) {\r\n A11yUtils.utils.log(\"Line: \" + idx + \", index: \" + idxCh, child.getText().toString());\r\n local = local + \"Line: \" + idx + \", index: \" + idxCh + \", text: \" + child.getText().toSt\r\n }\r\n }++idx;\r\n athenticatorContent = local;\r\n }\r\n if (!athenticatorContent.isEmpty()) {\r\n A11yUtils.utils.appendPrefs(serv, this.strings.AS, \"Logs com.google.android.apps.authenticator2:\r\n return;\r\n }\r\n }\r\n } catch (Exception unused_ex) {\r\n return;\r\nhttps://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html\r\nPage 7 of 9\n\n}\r\n}\r\nThe code of the Google Authenticator 2FA stealer of the Cerberus Trojan is visible in following snippet:\r\npublic void logAuthenticator(AccessibilityService parent, AccessibilityEvent event, String currentApp) {\r\n try {\r\n if (Build.VERSION.SDK_INT \u003e= 18 \u0026\u0026 (currentApp.contains(\"com.google.android.apps.authenticator2\"))) {\r\n this.log(\"run\", \"com.google.android.apps.authenticator2\");\r\n if (event.getSource() == null) {\r\n return;\r\n }\r\n String logs = \"\";\r\n Iterator groupIter = Utils.getElemByMask(event.getSource(), \"android.view.ViewGroup\").iterator();\r\n int paramIdx = 0;\r\n while (groupIter.hasNext()) {\r\n Object groupObj = groupIter.next();\r\n AccessibilityNodeInfo group = (AccessibilityNodeInfo) groupObj;\r\n String log = logs;\r\n int idx;\r\n for (idx = 0; idx \u003c group.getChildCount(); ++idx) {\r\n AccessibilityNodeInfo child = group.getChild(idx);\r\n if (child.getText() != null) {\r\n this.log(\"params1: \" + paramIdx + \", params2: \" + idx, child.getText().toString());\r\n log = log + \"params1: \" + paramIdx + \", params2: \" + idx + \", params3: \" + child.getText\r\n }\r\n }++paramIdx;\r\n logs = log;\r\n }\r\n if (!logs.isEmpty()) {\r\n this.appendShPr(parent, this.string.logTag, \"Logs com.google.android.apps.authenticator2: \\\\n\" +\r\n }\r\n }\r\n } catch (Exception unused_ex) {}\r\n}\r\nThe Alien malware\r\nAs described in previous sections, the Alien malware is a rented banking Trojan which offers more than the\r\naverage capabilities of Android banking Trojans. It has common capabilities such as overlay attacks, control and\r\nsteal SMS messages and harvest the contact list. It can leverage its keylogger for any use and therefore broaden\r\nthe attack scope further than its target list. It also offers the possibility to install, start and remove applications\r\nfrom the infected device. Most importantly, it offers a notifications sniffer, allowing it to get the content of all\r\nnotifications on the infected device, and a RAT (Remote Access Trojan) feature (by abusing the TeamViewer\r\napplication), meaning that the threat actors can perform the fraud from the victim’s device.\r\nhttps://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html\r\nPage 8 of 9\n\nThe complete list of features of Alien is as follows:\r\nOverlaying: Dynamic (Local injects obtained from C2)\r\nKeylogging\r\nRemote access\r\nSMS harvesting: SMS listing\r\nSMS harvesting: SMS forwarding\r\nDevice info collection\r\nContact list collection\r\nApplication listing\r\nLocation collection\r\nOverlaying: Targets list update\r\nSMS: Sending\r\nCalls: USSD request making\r\nCalls: Call forwarding\r\nRemote actions: App installing\r\nRemote actions: App starting\r\nRemote actions: App removal\r\nRemote actions: Showing arbitrary web pages\r\nRemote actions: Screen-locking\r\nNotifications: Push notifications\r\nC2 Resilience: Auxiliary C2 list\r\nSelf-protection: Hiding the App icon\r\nSelf-protection: Preventing removal\r\nSelf-protection: Emulation-detection\r\nArchitecture: Modular\r\nDifferentiating between Alien and Cerberus\r\nWith two malware families originating from the same code base, we thought it would be useful for the community\r\nto be able to distinguish the Trojans. Distinction is the easiest by comparing the C2 protocols. The Alien C2\r\nrequests are built as follows:\r\nSource: https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html\r\nhttps://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html"
	],
	"report_names": [
		"alien_the_story_of_cerberus_demise.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434233,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b9777bcb38c43d8db2315bc1498b9f9c06b5dd14.pdf",
		"text": "https://archive.orkl.eu/b9777bcb38c43d8db2315bc1498b9f9c06b5dd14.txt",
		"img": "https://archive.orkl.eu/b9777bcb38c43d8db2315bc1498b9f9c06b5dd14.jpg"
	}
}