Cerberus trojan flies under the COVID-19 flag

Since the beginning of the COVID-19 pandemic, cyber criminals and malware actors have taken advantage of the general panic, fear and thirst for information to come up with different tactics to distribute malware and infect the user’s devices.

Such is the case of “Corona-Apps.apk” variant of the Cerberus banking trojan. Usually spread via phishing campaigns, Corona-Apps.apk uses its connection with the actual virus name to trick users into installing it on their smartphones. This trojan primarily focuses on stealing financial data such as credit card numbers. In addition, it can use overlay attacks to trick victims into providing personal information and can capture two-factor authentication details.

This is not an isolated, individual case as similar infection vectors have been seen in the wild.

Uncovering the Cerberus trojan

The infection saga begins when a device user downloads the app from the URL “hxxp://corona-apps[.]com/Corona-Apps.apk”. Because there is no interface, this URL is most likely used on other platforms and phishing attempts as a hyperlink.

Figure 1: The empty website, with the warning from the browser

After the first warning, the user is prompted with a second one from the operating system, regarding the danger of installing applications from unknown sources. When the user continues in the installation process, they will be prompted with the following screen:


Figure 2: The install prompt of the “Corona-Apps.apk”

Unlike the older version of Cerberus, this one doesn’t hide its icon from the screen. It does, however, bombard the user with a notification every 10 seconds:


Figure 3: Notification asking for accessibility service privilege and the prompt

Notification requests will only stop only after the user uninstalls it or gives it accessibility service privilege. On top of that, it will ask for permission to access photos and media on the device, manage phone calls and sms messages, and have access to contacts.

Once the permissions are received, the app will start communicating with its Command & Control center, signaling that a new device is part of the botnet, sending data about the device, and downloading the payload file called RRoj.json.

After some time, the real goal of the trojan is uncovered when a SQLite database file called Web Data is placed on the device for holding and exfiltrating detailed credit card data held on the device:


Figure 4: The DB file used to store the credentials and the content of the “credit_cards” table

Uninstalling Corona-Apps.apk

After the app has been given full control of the device, the only way to remove it is to force stop the app and then subsequently uninstall it. If the user tries to uninstall it directly, the uninstall prompt will flash for a second and then disappear, not giving the user enough time to interact with the prompt.

Living safe in a time of pandemic malware

In conclusion, the desire for timely information is a proven effective hook for cybercriminals and phishing schemes. But they don’t have to catch you. Here are 4 easy steps for greater online security:

  1. Think before you click. That new app/news site/dashboard might be different than you thought.
  2. Stay in Play. Never download and install applications from outside the official Google Play market
  3. Listen. Your device will warn you when it’s installing a new app.
  4. Install a certified and tested anti-virus solution. The free Avira Antivirus 2020 makes it easy and detects this malware as ANDROID/Dropper.FRYX.Gen.

IOCs and technical information:

Distribution hxxps://corona-apps[.]com/Corona-Apps.apk
hxxp://corona-apps[.]com/Corona-Apps.apk
hxxps://corona-apps[.]com/
hxxp://corona-apps[.]com/
C&C botduke1.ug
Telegram t.me/botduke1
Payload
(SHA-256) 6A22EEA26C63F98763AA965D1E4C55A70D5ADF0E29678511CF303CB612395DF0
Sample
(SHA-256) 93288d18a7b43661a17f96955abb281e61df450ba2e4c7840ce9fd0e17ab8f77

This post is also available in: GermanFrenchSpanishItalianPortuguese (Brazil)