A new sophisticated malicious campaign is using an undetected Cerberus Android banking Trojan payload, according to cybersecurity provider Cyble.
In a new report published on October 14, Cyble Research and Intelligence Labs (CRIL) identified 15 malicious samples posing as Chrome and Play Store apps from mid-September through the end of October.
These samples use a multi-stage dropper to deploy a banking trojan payload, which was found to be leveraging the Cerberus banking Trojan.
The campaign, ErrorFather, is ongoing and seemed to have ramped up in September and October 2024, suggesting the threat actor is looking to scale and target specific victims.
Cerberus Banking Trojan and Variants
Cerberus is an Android banking trojan that appeared on underground marketplaces in 2019.
It is designed to look like a legitimate app, but is actually a malicious program that can steal login credentials for banking apps, credit card details and other personal information.
Cyble researchers noted that the trojan’s ability to target financial and social media apps by exploiting the Accessibility service, using overlay attacks and incorporating virtual network computing (VNC) and keylogging features made it one of the most well-known banking Trojans.
In 2020, following the leak of Cerberus’ source code, a new variant called ‘Alien’ appeared, leveraging Cerberus’ codebase.
In 2021, another banking trojan called ‘ERMAC,’ also building on Cerberus’ code was observed targeting over 450 financial and social media apps.
In early 2024, a new threat known as the Phoenix Android Banking Trojan was discovered.
“Claiming to be a fresh botnet, Phoenix was found being sold on underground forums. However, it was identified as yet another fork of Cerberus, utilizing its exact source code, whereas Alien and ERMAC had introduced some modifications,” Cyble researchers added.
Decoding the ErrorFather Campaign
ErrorFather campaign is another example of Cerberus being repurposed, according to Cyble researchers.
“While the threat actor behind ErrorFather has slightly modified the malware, it remains primarily based on the original Cerberus code, making it inappropriate to classify it as entirely new malware,” they added.
ErrorFather employs a sophisticated infection chain involving multiple stages (session-based droppers, native libraries, and encrypted payloads), complicating detection and removal efforts.
Notably, the campaign utilizes a Telegram bot named ‘ErrorFather’ to communicate with the malware.
The final payload employs keylogging, overlay attacks, VNC, and a domain generation algorithm (DGA) to perform malicious activities.
The DGA, also used in a 2022 Alien campaign, ensures resilience by enabling dynamic command and control (C2) server updates, keeping the malware operational even if primary servers are taken down.
“Despite being an older malware strain, the modified Cerberus used in this campaign has successfully evaded detection by antivirus engines, further highlighting the ongoing risks posed by retooled malware from previous leaks,” noted the researchers.
The C2 server used for deploying ErrorFather is still active, suggesting the campaign is ongoing.
Cyble Mitigation Recommendations
Cyble’s recommendations to mitigate the ErrorFather campaign include:
- Downloading and installing software only from official app stores like Google Play Store or the iOS App Store
- Using a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops and mobile devices
- Using strong passwords and enforce multi-factor authentication (MFA) wherever possible
- Enabling biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible
- Ensuring that Google Play Protect is enabled on Android devices