In the last few days, our Mobile Threat Labs team at Avast discovered a Cerberus banking Trojan on Google Play that was targeting Android users in Spain. As is common with banking malware, Cerberus, disguised itself as a genuine app in order to access the banking details of unsuspecting users. What’s not so common is that a banking Trojan managed to sneak onto the Google Play Store. The ‘genuine’ app in this case, posed as a Spanish currency converter called “Calculadora de Moneda”. According to our research, hid its malicious intentions for the first few weeks while being available on the store. This was possibly to stealthily acquire users before starting any malicious activities, which could have grabbed the attention of malware researchers or Google’s Play Protect team. As a result, the app has been downloaded more than 10,000 times so far. We reported it to Google, so they can quickly remove it.

Banking Trojan apps operate in a stealth manner in order to gain the trust of users and steal their banking data. There are a number of stages to this process. The first stage involves delivering an app, which usually appears to act normally and perhaps even offers some degree of useful functionality to users who have downloaded it. This is to gain their trust and to ensure they are comfortable keeping the app on their phones. At this point, the 'Calculadora de Moneda' app did not steal any data or cause any harm. From the research that Threat Labs has carried out, this is exactly what happened when users first began to download the currency converter app in March of this year.

In this instance, this benign app became what’s known as a ‘dropper’ at a later stage. Droppers are malicious apps that silently download another app onto a device without the user’s knowledge. Later versions of the currency converter included a ‘dropper code’ but it still wasn’t activated initially, i.e. the command and control server (C&C) instructing the app wasn’t issuing any commands and so users wouldn’t see and download the malware. However in the last couple of days, Threat Labs noticed that a ‘command and control server’ issued a new command to download the additional malicious Android Application Package (APK) - the banker. 

In this final stage, the banker app can sit over an existing banking app and wait for the user to log into their bank account. At which point the malicious Trojan activates, creating a layover over your login screen, and steals all your access data. The banker also has the potential to read your text messages and two factor authentication details, meaning it is able to bypass all security measures. 

The C&C server in question and its malware payload was only active for most of yesterday, during which time, users of the currency converter app were downloading the banking Trojan malware. However, as of yesterday evening, the command and control server had disappeared and the currency converter app on Google Play no longer contained the Trojan malware. Although this was just a short period, it’s a tactic fraudsters frequently use to hide from protection and detection i.e. limiting the time window where the malicious activity can be discovered.

Different versions of the Currency Converter app present in our Threat Intelligence platform, apklab.io.

All of our findings have been reported to Google. 

How you can protect yourself from mobile banking Trojans

We recommend users take the following steps to protect themselves from mobile banking Trojans:

• Confirm that the app you are using is a verified banking app. If the interface looks unfamiliar or odd, double-check with the bank’s customer service team
• Use two-factor authentication if your bank offers it as an option.
• Only rely on trusted app stores, such as Google Play or Apple’s App Store. Even though the malware slipped into Google Play, its payload was downloaded from an external source. If you deactivate the option to download apps from other sources, you will be safe from this type of banking Trojan activating on your phone.
• Before downloading a new app, check its user ratings. If other users are complaining about a bad user experience, it might be an app to avoid.
• Pay attention to the permissions an app requests. If you feel that the app is requesting more than it promises to deliver, treat this as a red flag.
• Often, malware will ask to become device administrator to get control over your device. Don’t give this permission to an app unless you know this really is necessary for an app to work.
• Use a security app like Avast Mobile Security that detects and protects you from banking threats.

List of IoCs:

• Main dropper - Currency Converter app that we detected as active dropper:
• C30ebf9fc47e6e12f4467e32bf1b3c055f99659c8c0395df4b3e7107591eb5fa
• Dropper C&C:
• 23.106.124.183
• Payload (banker):
• D89E08DB5AF347BE72F1307186638AAA062A8DE45A808F57DCE85BC83C94059E
• Banker C&C:
• goldegrillz.top