A never-before-seen Android banking trojan, dubbed Cerberus, is being rented out on underground forums by a threat group that likes to engage with the defense community publicly via Twitter.
According to a Tuesday posting from ThreatFabric, Cerberus isn’t based on the leaked Anubis source code that underpins many new trojans on the market. Its authors claim that it’s completely bespoke, with no code re-use, and it comes with infrastructure support. That offers an important differentiator, according to the researchers, given that the Android banking trojan market is in a transition phase.
“After the actor behind [the previously dominant] RedAlert 2 [trojan] decided to quit the rental business, we observed a surge in Anubis samples in the wild. After the Anubis actor was allegedly arrested and the source code was leaked there was also huge increase in the number of Anubis samples found in the wild, but the new actors using Anubis have no support or updates. Due to this, Cerberus will come in handy for actors that want to focus on performing fraud without having to develop and maintain a botnet and command-and-control (C2) infrastructure.”
Cerberus sets itself apart in a couple of ways. For one, it uses an interesting method to determine that it’s not running in a sandbox environment: It uses the device’s accelerometer sensor to measure movements of the victim with a pedometer function; researchers said that it uses the step-counter to activate the bot once it hits a preconfigured threshold.