Data Security

Nasty Cerberus banking trojan found on Google Play Store

Cerberus banking trojan was found in a currency converter app after Google’s Play Protect mechanism failed to identify the threat.

The infamous Cerberus banking trojan has been discovered stealing user’s banking credentials via a Spanish currency converter app (Calculadora de Moneda) available on Google Play store. The malicious application had already been downloaded 10,000 times since March.

The currency-converter application riddled with nasty Cerberus would steal users’ bank account details and furthermore, bypass all security measures including two-factor authentications. Prior to this, Cerberus inculcated email phishing overlay to extract credit card information, banking credentials, and other sensitive yet confidential information.

Cerberus infiltrates showing stealth capabilities

The Mobile Threat Labs team at Avast discovered that the infiltration was done in stages. Cerberus banking trojan, before starting any malicious activity, would disguise itself as a genuine app ensuing standard functionalities for weeks to gain user’s trust. The stealth dodged Google’s Play Protect team as well.




In mid-June, the newer version of the currency converter application had a dropper code that, only upon instructions from the ‘command and control server’ would activate and download additional malicious Android application package (APK) called the banker-Cerberus. This is done without the victim’s knowledge.

The Cerberus would sit over an existing banking application and wait for the user to login and enter credentials. At this point, the Cerberus banking trojan activates and creates a layover that steals all your information. ‘The banker’ also has access to the victim’s text messages and easily operate two-factor authentications.

Further investigations by Avast reveals:

‘The C&C server in question and its malware payload was only active for most of yesterday, during which time, users of the currency converter app were downloading the banking Trojan malware. However, as of yesterday evening, the command and control server had disappeared and the currency converter app on Google Play no longer contained the Trojan malware. Although this was just a short period, it’s a tactic fraudsters frequently use to hide from protection and detection i.e. limiting the time window where the malicious activity can be discovered.

Peculiarly, Cerberus can also disable Google’s preinstalled antivirus solution (Play Protect) which is what prevented its discovery until now. However, Avast has notified Google about the trojan banking malware.

Previously, Cerberus banking trojan with its spying and credential theft functionalities was distributed via exploit kits, malware scams, and phishing emails. The distribution then shifted via Betabot and now through a mobile app available on Google Play Store.

How to stay safe from Banking Trojans:

Firstly, confirm the application that you are using is verified from your respective bank. If something looks odd or unfamiliar, immediately contact the customer service team.

Do not give out confidential information on social media handles. They can be easily accessed.

In this particular case, the malware slyly slipped into Google Play store, but the payload was downloaded from an external source.

To protect yourself from this, immediately deactivate the option to download apps from unknown/unidentified sources this will defy trojan from activating. Besides this, pay attention to the permissions a newly downloaded application asks for. Most of us grant access without batting an eye.

To Top

Pin It on Pinterest

Share This