The $50,000 Android Banking Trojan:

Analysis of the Cerberus source code leak

Intro

Cerberus is a banking trojan designed to target Google’s Android operating system, it has many abilities including communication interception, tampering the device settings, keystroke logging or keylogging, and steal banking credentials which is the primary motive of this trojan. The trojan was first spotted in June 2019 by the Threatfabric analysts when the trojan was being leased out on forums and is targeting users through malicious websites which ask the user to download certain apps in order to use the website, once the user downloads the malicious app it asks for certain permissions which helps the trojan to get the necessary rights needed for the smooth running of the app. The group has put efforts in making sure that Antivirus apps do not detect the trojan and in one the tweets made through the twitter handle they claimed to have 0 hits in a list of well known antivirus applications. The source code leak was found on a forum after a failed auction where the malware was being sold for around $100,000.

During the winter sale in 2019, the pricing for the Cerberus subscriptions was:

3 months — $ 3,500

6 months — $ 5,500

12 months — $ 9,000

The above pricing was confirmed in of the tweets made through their official twitter handle.

What is unique about this trojan is that the developers of this trojan run an official twitter handle for Cerberus, unlike any other trojans. They revealed one of their advertisements out there and according to it they have around 1,000,000+ apk installs!

The developers of the malware have claimed that Cerberus has been coded from scratch and doesn’t utilize the source code of any other malware which makes this trojan different from others.

The developers have also created an automated APK builder for the trojan so as to make the process a bit easier for their clients.

The app builder asks for a URL connect which I assume to be the C2 server address here, the name of the application which the client would give for the malicious app, the icon for the application and few more inputs before finally clicking on the build button. The image mentioned above is the actual APK builder used by the group since they have already confirmed that in one of their tweets from 2019.

The trojan also has an admin panel which was under development since February 26 and is probably released now.

It has the APK generator that we discussed before present in it along with few additional features like bank logs, CC logs, Mail logs, as well as features like sending SMS, sending USSD and forwarding calls.

Some of the things displayed through the Admin panel are:

• Unique bot ID

• Android version

• country/language of the victim

• screen status

• last bot activity

• IP address

• Phone activity

• list of established banks

  • Availability of bank logs, cards and emails etc..

The group also provides a public injection database, the injections here probably serve as additional modules which the user could use during harvesting the cards/credentials of a user’s bank account.

The above image was discovered from the group’s Twitter handle. They seem to accept injections from clients as well as other people too! These injections would be stored on a database which the customers can use according to their needs.

Source code Analysis

Presence of some unique entries in column names

The first interesting thing we find here is the presence of some unique entries in the column names of the bots table. The name of the columns is pretty much similar to the functionality of the malware like we discussed earlier. It seems that the malware saves the data in this table first which is then passed over to the command and control server/dashboard of the admin.

Presence of injections

The SQL file also contains multiple injections/modules present in it, the trojan seems to have some default modules for the subscribers which they can use and can also expand the scope by adding new ones. The image above is just one of such modules and this one seems to be targeting Instagram’s android app specifically. Other injections also targeted mail applications, other social media apps like Snapchat, Imo etc, Uber as well as some other apps.

Okay so let us now proceed to the code analysis of the malware, the source code is present in the CERBERUS_V2 folder and contains the java files as well as some other folders and files related to the trojan.

First of all, let us check the mod.java file present inside the ‘main’ folder.

Uses a switch case statement for commands

The code present at line no. 179 has a switch statement involved which checks for commands as an input by the C2 server which is then passed to this RAT module’s conditional statement. In the above picture we can see some of the cases involved which have functionalities such as starting USSD, sending SMS, forwarding calls, pushing notifications, getting contact lists, getting installed apps, getting SMS received on the device, Update injects, open URLs and opening injects/modules with the help of already defined functions.

Updating the logs

The above image shows the code used for updating the logs of SMS received/ sent, keylogger as well as the contact list. What is happening here is that first of all it is storing the log in a String constant which is then passed to a conditional statement (if/else) which then makes sure that the constant is not empty after which it is updated through the code mentioned inside of it.

Presence of known constants

If we check the constants.java file present in the same ‘main’ folder we will realize that the string constants defined here are actually related to the core functionality of our trojan and must be used for logging the data as saw in the previous code, the constants declared here are the ones which were used in the mod.java file.

Functions used for upadting the log data

So now if we check the utils.java file we will find all the functions which were being used for updating the log data in mod.java file. This utils.java file contains all the functions which were being referred there and as we can see the logs are being sent in a json object format which is then saved on the C2 server before being finally displayed through the admin dashboard.

Conclusion

by Umair Nehri

Cyber Security Research Intern

Andy InfoSec