Cerberus is an advanced Android banking trojan that emerged in 2019, primarily designed to steal sensitive “financial information.”
While this sophisticated trojan is commonly distributed via “malicious apps” and “phishing campaigns.”
Cybersecurity analysts at Cyble recently discovered the “ErrorFather” campaign that has been found using an undetected “Cerberus” Android trojan payload.
The Cerberus Android Banking Trojan has evolved into several variants like “Alien,” “ERMAC,” and “Phoenix.”
Analyse Any Suspicious Files With ANY.RUN: Intergarte With You Security Team -> Try for Free
In 2024, a new campaign called “ErrorFather” emerged that has been found using Cerberus’ source code with significant modifications.
ErrorFather Hackers Attacking Android Users
This campaign employs a sophisticated “multi-stage” dropper technique to evade detection. The initial dropper is disguised as “legitimate apps” like “Chrome” or “Play Store,” which installs a “second-stage APK file” named “final-signed.apk.”
This second stage uses a native library (“libmcfae.so”) to decrypt and execute the final payload (“decrypted.dex”). This final payload contains the “core malicious functionalities.”
While the core functions include:-
- Keylogging
- Overlay attacks for credential theft
- VNC (Virtual Network Computing) for remote control MediaProjection
- PII (Personally Identifiable Information) collection
The malware communicates with its C&C servers using RC4 encryption for data transmission.
.webp)
Notably, it implements a DGA that uses the “Istanbul timezone” to create backup C&C domains with extensions like “.click”, “.com”, “.homes”, and “.net”.
This approach helps the malware maintain persistence even if primary C&C servers are taken down, Cyble said.
The ErrorFather campaign demonstrates how banking trojans continue to evolve. They are doing so by using “advanced obfuscation techniques” and “modular structures” to evade security measures and target financial and social media applications.
.webp)
Key features include a “Telegram bot” named “ErrorFather” for C&C communication, and the use of WebSocket connections for VNC functionality.
The malware’s overlay technique targets specific applications by retrieving “HTML injection pages” to create convincing “phishing overlays.”
.webp)
While the threat actor has made minor modifications like “Actions” to “Types,” but the core functionality remains similar to the original Cerberus code.
This campaign exemplifies how cybercriminals continue to exploit leaked malware source code by adapting tools like ‘Cerberus,’ ‘Alien,’ ‘ERMAC,’ and ‘Phoenix’ for ongoing attacks.
Despite being based on older malware the success of “ErrorFather” in evading detection highlights the “persistent risk” posed by “retooled malicious software.”
Recommendations
Here below we have mentioned all the recommendations:-
- Use official app stores.
- Install reputable antivirus.
- Use strong passwords & multi-factor authentication.
- Enable biometric unlock.
- Avoid suspicious links.
- Activate Google Play Protect.
- Be cautious with app permissions.
- Keep devices and apps updated.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)