Alien¶
Alien was the first commercially significant fork of Cerberus after its source code leaked in September 2020. Rented as MaaS on underground forums from early 2020, it bridged the gap between the original Cerberus operation and the next-generation trojans that followed. ThreatFabric documented Alien as actively operating even before the public Cerberus source leak, running concurrently with the dying Cerberus MaaS. The same threat actor behind Alien, tracked as "DukeEugene," later launched Ermac in 2021 and Hook in 2023, making Alien the critical stepping stone in the Cerberus lineage.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | January 2020 |
| Last Seen | Mid-2021 (superseded by Ermac) |
| Status | Inactive as standalone; code lives on through Ermac and Hook |
| Type | Banking trojan (MaaS) |
| Attribution | "DukeEugene" (also behind BlackRock, Ermac, Hook) |
| Aliases | Alien Bot, Alien Banker |
| Rental Price | $3,000/month (underground forums) |
Vendor Names¶
| Vendor | Name |
|---|---|
| ThreatFabric | Alien |
| Kaspersky | Trojan-Banker.AndroidOS.Cerana |
| ESET | Android/TrojanDropper.Agent |
| Microsoft | TrojanSpy:AndroidOS/Alienbot |
| Trend Micro | AndroidOS_Alienbot |
| Fortinet | Android/Agent.GJJ!tr |
| Dr.Web | Android.BankBot.Alien |
| Symantec | Trojan.Gen.MBT |
Origin and Lineage¶
Alien is a direct fork of Cerberus v1 source code. ThreatFabric's analysis proved this through code structure comparison: Alien retains the core Cerberus architecture for overlay injection, accessibility abuse, and C2 communication, layering new capabilities on top. The fork was active from January 2020, meaning the author had access to the Cerberus source months before the public leak in September 2020. This aligns with the timeline of the Cerberus team's internal collapse, suggesting the code was obtained through private channels or team members.
DukeEugene was simultaneously operating BlackRock, another Android banking trojan discovered in mid-2020. ThreatFabric observed BlackRock sample production cease as Ermac emerged in August 2021, confirming DukeEugene transitioned from Alien/BlackRock to Ermac as a consolidated MaaS offering.
The lineage is direct and well-documented:
Each successor inherited the predecessor's codebase and added capabilities. NCC Group confirmed this chain through code comparison when analyzing Hook's relationship to Ermac.
Distribution¶
Alien operators deployed standard Android banking trojan delivery methods, with a preference for fake app campaigns.
| Vector | Details |
|---|---|
| Phishing sites | Typosquatted domains serving APKs disguised as legitimate apps |
| Fake apps | Posed as fitness trackers, Flash Player updates, coronavirus information apps, Google Chrome updates |
| Smishing | SMS messages linking to phishing download pages |
| Third-party stores | APKs distributed through unofficial Android app markets |
| Social media | Lure posts directing victims to download pages |
Distribution infrastructure was shared across DukeEugene's operations. ThreatFabric noted that COVID-19-themed lures were heavily used during 2020, with fake government health apps and pandemic information tools serving as delivery vehicles.
Capabilities¶
Alien inherited all of Cerberus v1's functionality and introduced several features that would define the next generation.
| Capability | Implementation |
|---|---|
| Overlay attacks | WebView-based injects via accessibility service foreground detection, targeting 226+ banking and crypto apps |
| Notification sniffer | Abuses BIND_NOTIFICATION_LISTENER_SERVICE to read all device notifications, capturing 2FA codes from banking apps, authenticators, and email clients |
| TeamViewer RAT | Silently installs and launches TeamViewer for full remote device control, enabling manual fraud operations |
| Keylogging | Accessibility-based keystroke capture across all applications |
| SMS interception | Read, send, and forward SMS messages for OTP theft |
| Contact harvesting | Exfiltrate contact list to C2 |
| Call forwarding | Forward incoming calls to attacker-controlled numbers |
| App listing | Enumerate installed packages to determine overlay targets |
| Self-protection | Hide app icon, prevent uninstallation via device admin abuse |
| Google Authenticator theft | Read 2FA codes directly from Authenticator app UI via accessibility events |
Notification Sniffer¶
The notification sniffer was Alien's most significant addition over Cerberus. By requesting the BIND_NOTIFICATION_LISTENER_SERVICE permission and using accessibility to auto-grant it, Alien gained passive access to every notification on the device. This captured 2FA codes from banking apps that deliver OTPs via push notification rather than SMS, a blind spot in Cerberus's SMS-only interception.
TeamViewer Integration¶
Rather than implementing custom VNC or screen streaming, Alien took a shortcut: it silently downloaded and installed TeamViewer, then used accessibility to auto-grant its permissions and initiate sessions. This gave operators full remote control without developing RAT functionality from scratch. The approach was effective but noisy, as TeamViewer's presence on a device is detectable.
Technical Details¶
Accessibility Abuse¶
Alien's core loop follows the Cerberus pattern with enhancements:
- Persistent prompt forces the user to enable accessibility service
- Once enabled, auto-grants SMS, phone, contacts, and notification listener permissions
- Monitors
TYPE_WINDOW_STATE_CHANGEDevents for foreground app detection - Triggers overlay injection when target apps enter foreground
- Notification listener service captures all push notifications passively
- TeamViewer installed and configured for remote access sessions
C2 Communication¶
Alien's C2 protocol is an evolution of Cerberus's HTTP-based approach:
- HTTP POST requests to hardcoded C2 domains
- Data encrypted before transmission (updated encryption from Cerberus baseline)
- Bot registers on first launch with device fingerprint
- Regular polling intervals for command retrieval
- Inject pages fetched from C2 by target package name
Key C2 commands:
| Command | Action |
|---|---|
push |
Display push notification to lure user into opening target app |
startApp |
Launch specified application to trigger overlay |
getContacts |
Exfiltrate contact list |
sentSMS |
Send SMS from victim device |
startForward |
Forward calls to attacker number |
startVNC |
Initialize TeamViewer remote session |
getAccounts |
Steal accounts stored on device |
getInstalledApps |
Enumerate installed packages |
Anti-Analysis¶
| Technique | Method |
|---|---|
| Emulator detection | Checks build properties, SIM state, and hardware fingerprints |
| String obfuscation | Critical strings encrypted and resolved at runtime |
| Delayed activation | Payload dormant until specific conditions met |
| Icon hiding | App icon removed from launcher after initial setup |
Target Regions and Financial Institutions¶
Alien cast a wide net, with inject kits covering institutions across multiple continents. ThreatFabric reported coverage of 226+ applications.
| Region | Countries |
|---|---|
| Western Europe | Spain, France, Italy, Germany, UK, Belgium, Netherlands |
| Eastern Europe | Turkey, Poland |
| North America | United States, Canada |
| Asia-Pacific | Australia |
| Cryptocurrency | MetaMask, Trust Wallet, Coinbase, Blockchain.com |
Spanish and Turkish financial institutions were particularly well-represented in the inject kit, consistent with Cerberus's original targeting focus. The addition of cryptocurrency wallet targets reflected the broader 2020-era trend of banking trojans expanding into crypto theft.
Notable Campaigns¶
January 2020: Alien first observed operating as a rented MaaS alongside the still-active Cerberus. ThreatFabric identified it as a Cerberus v1 fork with enhanced capabilities.
Mid-2020: COVID-19-themed distribution campaigns peaked. Alien samples posed as pandemic tracking apps, government health information tools, and coronavirus safety applications.
July 2020: Cerberus's author put the project up for auction. Alien positioned as the active successor for operators migrating off Cerberus.
September 2020: Cerberus source leaked publicly. Alien's operator base expanded as former Cerberus renters sought a maintained alternative. ThreatFabric published "Alien: the story of Cerberus' demise", providing the definitive analysis of the family.
Late 2020 - Mid-2021: Alien remained the dominant Cerberus derivative available for rent, targeting European banking customers across multiple campaigns.
August 2021: DukeEugene launched Ermac, identified by ThreatFabric as built on the same codebase. Alien campaigns declined as the operator migrated renters to the newer, more capable product.