Attackers infected more than 75% of a multinational conglomerate's managed Android devices with the Cerberus banking trojan using the company’s compromised Mobile Device Manager (MDM) server.
MDM (also known as Enterprise Mobility Management - EMM) is a mechanism used by companies of all sizes to enroll enterprise-owned devices with the same management server to make it easier to perform tasks such as delivering company-wide device configurations, deploying applications, and more.
The Cerberus banking trojan was first spotted in June 2019 and it uses a Malware-as-a-Service (MaaS) business model allowing clients who rent their services to drop their payloads, as well as configure and control devices compromised during their attacks.
Once deployed onto an Android device, Cerberus can be used by the attackers to steal a wide range of highly sensitive information including but not limited to call logs, text messages, credentials, Google Authenticator 2FA codes, phone unlocking patterns, as well as to collect info on installed apps and log keystrokes.
After the attackers successfully compromised the unnamed company's MDM server following a targeted attack, they used it to remotely deploying the banking trojan malware on over 75% of all managed Android devices as Check Point security researchers discovered.