Apps on Google Play Tainted with Cerberus Banker Malware

The official Android app market has traditionally been regarded as a safe place to install applications from. Every once in a while, remarkably malicious apps slip right through and start wreaking havoc before they’re spotted and retired.

Today’s blog post focuses on several utility apps that look innocent at a glance, but whose real purpose is to download and enable various banker Trojans on the device and lend hackers a hand into emptying victims’ accounts.

The apps in question were spotted on Google Play by some of our machine learning algorithms. The apps belong to different categories, but most of them are marketed as health and sports companions. Their presence on Google Play dates back to February this year, but the most recent ones were published just days ago. At the moment of writing this report, several samples are still available on third-party stores. The apps vary in popularity, with the more popular ones having been downloaded more than 10,000 times. 

Bitdefender detects this threat as Android.Trojan.Downloader.UT.

Behavior

To some extent, these applications ship with the advertised functionality. However, under the hood, they communicate with a server and, if some prerequisites are met, the server decides whether to allow the app to download a malicious APK or not. If the APK is made available, the application will try to lure the user into granting it Accessibility rights. If the service is enabled, the app will install the payload and attempt to enable the payload’s accessibility service through it.

Sponsorships Available

Sponsorships Available

Sponsorships Available

The apps have a specific way of communicating with the server. Information about the device (such as the country, the package name, the build version release, and the build model) is sent to the server as an app registration request, and an app token is sent back. This token will be used in all subsequent requests to the server. Depending on this, the app will receive from the server a link to the APK file to be downloaded later.

{"id": 1234567, "method": "app.register", "params": {"package": "com.yourweather.app", "device": "Android", "model": "Samsung Galaxy Nexus", "country": "en-US"}, "jsonrpc": "2.0"}

Initial request mock example

The same CnC provides different APKs at different times, possibly due to different configurations being sent to the server. We conclude that the malware authors might have a selection process to determine what users should get the banker or when they should get it, making the downloaded APKs harder to trace and even possibly target it toward specific profiles.

The initial apps have the sole purpose of trying to download the payload app. After the payload app has been installed, the original one will enable accessibility services for the second app. Interestingly, once the downloaded APK has been installed and its accessibility service is enabled through the original app’s accessibility control, the latter will disable its own accessibility abilities to avoid raising any suspicions and will continue to work as described in the application’s description on Play Store.

At this point, the first app is no longer of interest, and the second app takes charge of the device’s infestation instead. The droppers continue to offer the neither good nor terrible features advertised on Google Play. It will keep listening for certain intents (e.g., BOOT_COMPLETED) and can even hide their launcher if all the prerequisites are met.

The downloaded apps that we interacted with are various banking malware applications in the Cerberus family. Since they had already received accessibility permissions, they proceed to give themselves all the needed permissions, set themselves as device admins, and even as default SMS apps. From there on, the payload application has full control over the device.

Versions 

The apps can be divided into two categories, despite the main dropper functionality being very similar.

V1: com.radiofun.app and me.maxdev.popularmoviesapp

The first version of the malware, which is less obfuscated and mainly uses Base64 for encryption. The early versions of these apps offered a simpler communication interface and even lacked the second version’s registration process. It dates back to February 2020.

V2: the others

The second version of the malware. It uses a different obfuscation technique and has made its first appearance in the wild in June 2020. It is stripped of most debugging information present in version 1. Communication with the server is more advanced, allowing for better control of the payload installation.

Origin

Presumably, in order to hinder investigations, the malware authors publish the malicious apps through several different developer accounts. 

A vague pattern can be noted among the email addresses, which consist of a name, a surname and a number registered on Gmail.

While most of the command and control servers don’t have any meaningful webpages available, one of them hosts a work-in-progress site for a home management provider from Kiev, Ukraine.

https://positivefitness[.]club/landing/news/5f2463e1bbc5c5e5d

The official site of the provider can be found at https://djek.org/.
Another server, loversfinder[.]xyz, hosts a page with the infamous Cerberus mobile user interface, tweaked a bit for Russian speakers.

Given these pages, as well as some Russian language strings found in the oldest versions of the malware family and the fact that the only developer whose name matches the email address is clearly Slavic (Vladimirova), we can make an educated guess that the authors are probably of Eastern Slavic origin.

Telemetry

The droppers are most popular in Europe, particularly in Spain, but our telemetry shows that they are also spread across the US and Australia as well.

Appendix – Indicators of Compromise