ThreatFabric specialists detected modification of the Cerberus trojan virus, which intercepts one-time passwords from the Google Authenticator application.
[BLOG] 2020 is the year of the RAT, financially motivated threat actors are working hard on making their #Trojans more successful. Find out why and what it means for #Malware and the future threat-landscape.#ThreatIntelligence #ThreatIntel //t.co/6NAllgSb9z
— ThreatFabric (@ThreatFabric) February 26, 2020
According to experts, the Trojan, known since the summer of 2019, underwent a codebase refactoring, which allows it to abuse accessibility rights in Android. It can intercept the credentials of the device’s screen lock and the contents of the application interface, sending them to the attacker’s server.
“The RAT (Remote Access Trojan) service is able to traverse the file system of the device and download its contents. On top of that it can also launch TeamViewer and setup connections to it, providing threat actors full remote access of the device,” the report says.
Thus, hackers gain unlimited access to the victim’s device, including changing its settings, installing or deleting applications, but, above all, using any software on the device, including banking applications, messengers and social networks, even using two-factor authentication via Google Authenticator.
The new modification of the malware has not yet received widespread advertising on hacker forums and, most likely, is still at the testing stage, but may be released in the near future.
“Having an exhaustive target list including institutions from all over the world, combined with its new RAT capability, Cerberus is a critical risk for financials offering online banking services. Whether in its target list or not, it is easy for its operators to enhance the list to target additional apps, including cryptocurrency wallets,” the experts noted.
Kaspersky Lab’s cybersecurity experts confirmed that hackers can easily expand the Trojan’s sphere.
“In general, it is not difficult for attackers to reconfigure this malware to steal credentials from cryptocurrency wallets. To ensure security, cryptocurrency holders should use specialized Android security software on their gadgets,” said Kaspersky Lab’s antivirus expert Viktor Chebyshev.
In October 2019, the banking virus Geost infected more than 800 thousand Android-devices of Russian users. According to preliminary data, attackers could control millions of rubles in the bank accounts of Russian citizens.