This post is also available in:
עברית (Hebrew)
A newly discovered variant of the Cerberus Android banking trojan is actively targeting users, evolving significantly since its initial appearance in 2019. Researchers at Cyble Research and Intelligence Labs (CRIL) report that this sophisticated malware, dubbed “ErrorFather,” employs advanced tactics to evade detection and complicate removal.
Since September, cybercriminals have intensified their attacks, leveraging this new version of Cerberus, which utilizes session-based droppers, native libraries, and encrypted payloads. Notably, no antivirus engines currently detect this latest iteration, underscoring its threat level. The trojan utilizes keylogging, overlay attacks, and VNC (Virtual Network Computing) to gain unauthorized access to sensitive information.
One of the trojan’s most concerning features is its dynamic command and control (C&C) capabilities. It employs a Domain Generation Algorithm to create domains on-the-fly, allowing it to switch C&C servers seamlessly. This makes it particularly challenging for users and security software to identify and neutralize the threat.
CRIL’s investigation revealed that the malware campaign involves a multi-stage dropper mechanism. The first stage installs a secondary application that subsequently requests dangerous permissions. Although the malware’s final payload remains packed and obscured, it contains a range of malicious functionalities, including keylogging, personal data collection, and remote communication.
Attackers rely heavily on social engineering tactics, often disguising the malware as legitimate banking or authentication apps, complete with familiar Google Play and Chrome icons. Phishing sites are frequently employed for malware distribution, tricking users into installing malicious software under the guise of updates.
The new Cerberus variant also exhibits enhanced capabilities for data theft. It can log keystrokes, capture screenshots, send and receive SMS, and even record audio. When targeting specific apps, it overlays fake phishing pages to deceive users into providing login credentials or credit card information.
To combat this growing threat, CRIL recommends best security practices, such as downloading apps only from official sources, ensuring Google Play Protect is activated, and exercising caution with permissions and suspicious links. As cybercriminals continue to refine their tactics, vigilance is crucial for Android users to safeguard their personal information.
