Calculadora de Moneda App on Google Play Was Hiding the Malicious Cerberus Trojan
Google has received quite a lot of criticism for letting too much malware on Google Play, and you could say that there's a very good reason for this. Compared to Apple, Google has adopted a much more liberal policy when it comes to allowing apps to be published on the Play store, and the frequency with which malware slips through the cracks shows that the checks are not rigorous enough. That being said, sometimes, the hackers are especially determined to keep their malicious intent a secret. Yesterday, for example, researchers from Avast told us about the clever tricks cybercriminals have used to hide a recent attack on Spanish users.
Table of Contents
Hackers published a currency converter on Google Play
The operation began way back in March when the operators of the Cerberus banking trojan published an app on Android's official store. The application was called "Calculadora de Moneda" (Spanish for "Currency Calculator"), and the hackers had absolutely no problems running it past Google's security checks.
That's because there was nothing malicious about it. The initial version of Calculadora de Moneda was completely benign, and it even functioned as a currency converter. The goal was to earn users' trust and earn it, it did. According to Avast, a couple of days ago, the currency converter app had around 10 thousand downloads.
The timeline is not perfectly clear, but at some point between March and July, the malicious stage of the operation began. The hackers pushed an update that contained a few lines of code that would later download and install Cerberus. They were in no hurry to trigger it, though. The code remained dormant and was only activated a couple of days ago.
The crooks deployed the Cerberus banking trojan a few days ago
The malicious code contacted the crooks' Command and Control server (C&C) and downloaded an APK file, which, if executed, would install the Cerberus banking trojan.
Cerberus is a formidable threat. It may have only been around for a year or so, but it has already made a name for itself, and several attacks over the past few months suggest that its operators have a particular interest in Spanish-speaking users.
Avast's report doesn't say which banking application it targets, but it does explain that it steals passwords by drawing an overlay over the apps' login forms and exfiltrating the entered credentials. The trojan also has the ability to read text messages and steal authentication codes from apps like Google Authenticator, which means that it's capable of bypassing two-factor authentication.
It's difficult to say how many people got hit, but as you can see, they were all put at serious risk. It's a good thing that the attack is now over.
The deployment has stopped… for now
The Calculadora de Moneda app started downloading Cerberus at some point on July 6, but mere hours later, the distribution stopped. The C&C and the malware payload became inactive, and the currency converter app continued to function as normal.
There could be a couple of reasons for the crooks' decision to cut the campaign short. They may be hoping that the smaller attack will help them evade detection. Alternatively, their plans might have changed after Avast's researchers intercepted the campaign. We shouldn't discount the grim possibility of this being a test that precedes a bigger attack, either.
Whatever the case, users should be aware of the risk, and they need to know what to do to keep themselves safe. Thankfully, in this particular case, Android's design can help them.
APK files from third-party sources can be dangerous
Avast's researchers relayed their findings to Google, and although you can find an app called "Calculadora de Moneda" on Google Play, the malicious application should now be removed. It must be said, however, that in this particular case, the malware wasn't actually uploaded on the Play store. In this attack, the currency converter acted as a dropper and downloaded the APK payload from the hackers' C&C.
Depending on the version, Android will display numerous warnings and will ask for permissions before it lets an APK file run on the device. Older incarnations of Google's mobile operating system won't let you install an APK file unless you change some of the default settings.
This is because although malware does appear on the Play store every now and again, for the most part, Android threats are distributed via APK files hosted on third-party websites. Android's developers know how big the risk of running such files is, and they are trying to warn you about it. All you need to do is listen.
