{Warning}: Cerberus Android Malware Can Bypass 2FA, Unlock Devices Remotely

[Baofeng]

The trojan has been upgraded with a new functionality to bypass 2FA now.

The Cerberus banking Trojan that appeared on the threat landscape end of June 2019 has taken over from the infamous Anubis Trojan as major rented banking malware. While offering a feature-set that enables successful exfiltration of personally identifiable information (PII) from infected devices, Cerberus was still lacking features that could help lowering the detection barrier during the abuse of stolen information and fraud. Mid-January 2020, after new-year celebrations, Cerberus authors came back with a new variant that aimed to resolve that problem, a RAT feature to perform fraud from the infected device.

This new Cerberus variant has undergone refactoring of the code base and updates of the C2 communication protocol, but most notably it got enhanced with the RAT capability, possibility to steal device screen-lock credentials (PIN code or swipe pattern) and 2FA tokens from the Google Authenticator application.

https://www.threatfabric.com/blogs/2020_year_of_the_rat.html

We all know that we uses 2FA more frequent now specially in securing our exchanges account. But it seems there could be a a trojan in the horizon that can bypass it.

Although the research says that it is not yet advertise of darkweb forums, but this could be release soon. We should be very very careful now and used every safe practice in the book.



https://twitter.com/ThreatFabric/status/1230537382090293248/photo/1

[JeromeTash]

It seems i have not been following this android malware stuff for a while. I wanted to know. Is there any information about the apps that could be infected or associated with the said malware?

To some extent i think it's safe for users to go for unpopular Operating Systems for security purposes since they have a low user base so hackers have less interest in creating malware for them.

This is why Linux is less threatened compared to windows, iOS compared to Android.

[Chikito]

for people who like to trade exchange and have an account with lots of crypto in, it is necessary to have a special offline mobile 2fa.

looking for in a chest of drawers, when finding a dormant cellphone, better to use it for 2fa only. first to do is reset the factory settings and download 2fa auth.

don't online it again and keep offline forever to avoid malware injected.

[Baofeng]

It seems i have not been following this android malware stuff for a while. I wanted to know. Is there any information about the apps that could be infected or associated with the said malware?

It wasn't into the crypto radar scene because the first release of the trojan targeted banking applications. But it was soon discovered that some bad actors has created a new strain/variant evolving not only stealing banking information, but it has now the capability to attack crypto accounts as well specially our we used 2FA to protect our exchange accounts. Maybe we can see more investigations coming in the next month or so, when cyber investigators have the blueprint on how this evolving trojans works on crypto related stuff.

[hugeblack]

How do you consider 2FA authentication as an option to protect your account while you are downloading  the app in an unprotected program ?!

I don’t know how easy it is for a hacker to obtain data, but even if it is not protected, your use of a device connected to the Internet poses risks.

[Saint-loup]

How do you consider 2FA authentication as an option to protect your account while you are downloading  the app in an unprotected program ?!

I don’t know how easy it is for a hacker to obtain data, but even if it is not protected, your use of a device connected to the Internet poses risks.

Yes I agree so a good way to avoid that is to disconnect from internet...
The malware doesn't seem to be able to steal the seeds, it only captures the OTP codes displayed by the app on the screen.
So a good way to neutralize this malware is to turn your smartphone into airplane mode when you're using the app, and to let it in this mode 2 or 3 minutes, until the OTP codes become obsoleteand unusable.