![i cerberus pro program i cerberus pro program](https://www.sipatec.org/files/uploads/FDBZ290-AD.jpg)
The output from the previous function is passed to the RC4 cipher. The output byte will be the sum of the 2 characters, as seen below:įigure 6: The first stage of the decryption Stage two (RC4 cipher): The first one is bitwise shifted to the left 4 times. The function takes every 2 consecutive characters and converts them into digits in base 16. It means that the length of the output string is always half of the original one.
#I CERBERUS PRO PROGRAM APK#
This reveals the class names which have been referenced in the distributed APK manifest file ( ).įigure 4: The path to the classes can be seen in the Source Code view of the dropped payload String decryption When the payload is decompiled, it shows the obfuscated code of the malware. The payload of this variant is a dex file named RRoj.json. And the fact that, the path to the class names is not found (the root element qugyujzldpxqazyrqtc is not present on the left side, under “Source code”).įigure 3: The permissions: in the red box: the path to the classes not present in the Source Code Analyzing the payload.Why would such an app want to send and receive text messages, record audio, and read the user’s contact list?.The code is heavily obfuscated and has no real purpose other than to waste the analyst’s time.īesides the heavily obfuscated package name, two activities that caught our attention were: The code found in the distributed APK is the same in the majority of classes”. This sophisticated trojan has a large AndroidManifest file: lots of receivers, activities, services, intent-filters etc. This keeps the C&C server updated with the newest information about the device.įigure 2: The application sends an “upgrade_n_patch” command which gets as response a chunk of binary data Static Analysis of Cerberus A quick look at the original manifest The “info_device” is requested every few seconds. The application has a well defined set of commands such as: “info_device”, “new_device”, “saved_data_device” and “pause_attacker”. Communication with the C&C serverĪfter installation, network traffic can be seen between the application and the C&C server ‘ botduke1.ug’įigure 1: The traffic between the app and the C&C server A high level overview can be read on Avira’s blog. Dynamic Analysis of Cerberusīy Bogdan Anghelache, specialist threat researcher, Avira Protection Labs Behavior upon installationĬorona-Apps.apk variant has a very aggressive behavior after installation.
![i cerberus pro program i cerberus pro program](https://image.slidesharecdn.com/c644e775-fab5-4e96-90b5-8a80a9d26509-160418210747/95/cerberuspresentation1-9-638.jpg)
Corona-Apps.apk uses its connection with the actual virus name to trick users into installing it on their smartphones. They are usually spread via phishing campaigns. “Corona-Apps.apk” is a variant of the Cerberus banking trojan. It also uses overlay attacks to trick victims into providing personal information and can capture two-factor authentication details. This trojan uses peoples’ worry of COVID-19 to steal financial data such as credit card numbers. Even the fact that Cerberus is being “ rented out” on underground forums is not unique.
#I CERBERUS PRO PROGRAM ANDROID#
Android banking trojans are nothing new, and Cerberus is just the latest in a long line of such malware to hit the headlines.