What Is It?

A variant of the Cerberus banking trojan has been used in a targeted attack on a multinational organization’s mobile phones. Yet, the approach is completely new. Researchers at Proofpoint described an incident where the organization’s Mobile Device Manager (MDM) server was compromised and then used by attackers to infect their Android powered mobile devices with the Cerberus banking trojan. Researchers stated they had not previously seen an MDM server used as the attack vector for mobile malware.

When first executed, Cerberus displays a window purporting to be an update to the Accessibility service. This window will be redisplayed until the user accepts the update. Using the permissions granted to it, the malware is then able to automatically select menu options and bypass user interaction. The malware contacts its command and control server (C2) server to receive commands to upload details regarding the infected device, stolen data and credentials.

Currently, the organization’s MDM server was compromised by unknown means. With control of the MDM server, the attackers quickly began deploying Cerberus and infected 75% of the organization’s Android devices. As Cerberus malware is capable of sending all credentials used on an infected device to the C2, the organization made the decision to factory reset all its mobile devices enrolled with the compromised MDM server. Despite the financial implications of this decision – in terms of the time, resources and lost productivity – this was the only option available to ensure that all traces of the compromise and subsequent infections were removed.

Centralized management of all endpoint devices is commonplace due to the numerous advantages it provides when attempting to manage a large number of devices within a corporate environment. However, there is one significant disadvantage to this approach. If the management server is compromised, all those managed devices are now vulnerable to compromise via software update servers. Most notably, the initial propagation method for the devastating NotPetya malware in 2017 was a software update for a Ukrainian tax accounting product.

First released in June 2019, Cerberus is available to attackers using the highly popular MaaS (Malware as a Service) model. The new variant used in this MDM distribution attack extends the original banking trojan’s capabilities to include RAT (Remote Access Trojan). Cerberus gives attackers access to numerous sensitive information, such as text messages, credentials, call logs, Google Authenticator codes, details on installed applications, the phone unlocking patterns and logs all keystrokes. Full remote access to the infected device is also possible using the TeamViewer app.

How Does It Propagate?

In this case, the Cerberus variant was distributed by the organization’s own compromised MDM server.

When/How Did BluVector Detect It?

Three publicly available Android samples of the Cerberus banking trojan were listed as IOCs and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected 71 months prior to their release.