Cerberus

Cerberus was the Android banking trojan whose 2020 source code leak became the single most consequential event in mobile malware history. Sold as Malware-as-a-Service (MaaS) from mid-2019 through mid-2020, it introduced a polished rental model to a market previously dominated by Anubis. When the operation collapsed and its source hit underground forums, it seeded an entire lineage of successors: Alien, Ermac, Hook, and dozens of unnamed forks that persist today.

Overview

Attribute	Details
First Seen	June 2019
Last Seen	August 2020 (original operation)
Status	Source leaked September 2020, forks still active
Type	Banking trojan (MaaS)
Attribution	Russian-speaking developer(s), identity unknown
Aliases	Cerberus v1, Cerberus v2
Source	Leaked freely on Russian-speaking underground forum after failed auction

Origin and Lineage

Cerberus appeared in June 2019 when its author began advertising rental access on underground forums. The developer claimed the trojan had been used in private operations for two years prior and was written entirely from scratch rather than derived from Anubis, a claim that ThreatFabric disputed based on code structure similarities.

The original MaaS operation ran for roughly one year. By mid-2020, internal disputes fractured the development team. In July 2020, the author put the entire project up for auction with a starting price of $50,000 and a buy-it-now price of $100,000. The package included APK source code, the admin panel, C2 server code, installation guides, setup scripts, and the active customer list. The auction failed to attract a buyer.

In September 2020, the author released the full source code for free to premium members of a popular Russian-speaking underground forum. Kaspersky documented an immediate spike in infections across Russia and Europe as low-skill actors began deploying their own builds. This leak directly spawned the next generation: ThreatFabric identified Alien as the first notable fork even before the public leak, followed by Ermac in 2021 and Hook in 2023.

Distribution

Cerberus reached devices through multiple channels:

Vector	Details
Smishing	SMS messages with links to fake banking or utility pages that served the APK
Phishing sites	Typosquatted domains mimicking legitimate app download pages
Google Play droppers	In July 2020, Avast discovered a Cerberus dropper disguised as a Spanish currency converter ("Calculadora de Moneda") with over 10,000 downloads. The app behaved legitimately for several weeks before activating dropper code to fetch the banking payload.
Third-party app stores	APKs distributed through unofficial Android markets

The dropper-on-Play technique was notable: the app passed Google Play Protect checks for weeks as a genuine currency converter, then received a C2 command that activated the dropper component to silently download and install the Cerberus banking payload.

Capabilities

Cerberus evolved significantly between its initial release and the v2 update in early 2020.

Version 1 (June 2019)

Capability	Implementation
Overlay attacks	WebView-based injects triggered via accessibility service foreground detection
SMS interception	Read, send, and forward SMS for OTP theft
Contact harvesting	Exfiltrate contact list to C2
Keylogging	Accessibility-based keystroke capture
App listing	Enumerate installed packages to determine relevant inject targets
Device info collection	IMEI, SIM info, installed apps, device model
Self-protection	Hide app icon, prevent uninstallation via device admin
Anti-analysis (pedometer)	Used the device accelerometer as a step counter; payload only activates after a threshold of physical steps is reached, defeating sandbox and emulator analysis

The pedometer trick was Cerberus's most distinctive evasion technique. Since automated analysis environments and emulators do not generate real accelerometer data, the step counter never increments, and the malware stays dormant.

Version 2 (January 2020)

ThreatFabric's "Year of the RAT" report documented the v2 upgrade:

Capability	Implementation
RAT (Remote Access Trojan)	TeamViewer-based remote access enabling full device control
Google Authenticator theft	Abuses accessibility to read 2FA codes directly from the Authenticator app UI
Screen lock credential theft	Captures PIN codes and swipe unlock patterns via accessibility
File system traversal	RAT service can browse the device file system and download contents
Improved C2 protocol	Refactored communication protocol with updated encryption

The ability to steal Google Authenticator 2FA codes was significant: rather than intercepting SMS-based OTPs, Cerberus read the codes directly from the Authenticator app's UI through accessibility events, bypassing the shift away from SMS-based 2FA.

Technical Details

Accessibility Abuse

Cerberus's core functionality depends on the Android Accessibility Service. Once the user grants accessibility privileges, the malware:

1. Auto-grants itself additional permissions (SMS, phone calls) without user interaction
2. Monitors TYPE_WINDOW_STATE_CHANGED events to detect when target apps enter the foreground
3. Injects WebView-based overlay screens that mimic the target app's login UI
4. Logs keystrokes across all applications
5. In v2, reads Google Authenticator codes and screen lock patterns

C2 Communication

The C2 protocol uses HTTP POST requests to communicate with the command-and-control server. Data is encrypted before transmission. The bot registers with the C2 on first launch, sending device fingerprint data, and then polls for commands at regular intervals.

Key C2 commands:

Command	Action
push	Display push notification to lure user into opening an app
startAuthenticator2	Launch Google Authenticator and capture displayed codes
startApp	Open a specified application (triggers overlay)
getContacts	Exfiltrate contact list
getAccounts	Steal accounts stored on device
sentSMS	Send SMS from victim device
startForward	Forward incoming calls to attacker-specified number
startScreenVNC	(v2) Initialize RAT session

Anti-Analysis

Technique	Method
Pedometer gate	Reads TYPE_STEP_COUNTER sensor; payload dormant until step threshold is met
Emulator detection	Checks build properties, SIM state, and hardware characteristics
Delayed activation	Play Store droppers wait weeks before activating malicious behavior
String obfuscation	Critical strings encrypted and resolved at runtime

Inject Architecture

Overlay injects are HTML/CSS/JS files hosted on the C2, one per target application. When the malware detects a target app in the foreground via accessibility, it requests the corresponding inject by package name. The WebView renders the inject fullscreen over the legitimate app. Submitted credentials are POSTed back to C2.

Permissions

Permission	Purpose
BIND_ACCESSIBILITY_SERVICE	Core dependency for overlay triggering, keylogging, auto-granting permissions, and reading Authenticator codes
SYSTEM_ALERT_WINDOW	Display overlay injections over banking apps
READ_SMS	Read incoming SMS for OTP interception
RECEIVE_SMS	Intercept SMS in real-time
SEND_SMS	Send SMS from the victim device
READ_CONTACTS	Exfiltrate the contact list
READ_PHONE_STATE	Collect device identifiers (IMEI, SIM info)
INTERNET	C2 communication
RECEIVE_BOOT_COMPLETED	Persistence across reboots
BIND_DEVICE_ADMIN	Prevent uninstallation via device admin

Target Regions and Financial Institutions

Cerberus primarily targeted European banking customers, with inject kits covering institutions across:

Region	Countries
Western Europe	Spain, France, Italy, Netherlands, UK
Eastern Europe	Turkey, Poland
North America	United States
Asia-Pacific	Australia, India (SBI, ICICI)

The MaaS model meant targeting depended on individual operators. The core team maintained inject kits for major European banks, while renters could commission custom injects for specific targets. Spanish financial institutions were particularly well-represented, consistent with the Google Play dropper campaign that exclusively targeted Spanish users.

Notable Campaigns

June 2019: Cerberus first identified by ThreatFabric being advertised on underground forums at $2,000/month for private use or $7,000/month with the full feature set.

January 2020: The v2 release added RAT capabilities and Google Authenticator theft. ThreatFabric covered the upgrade in their "Year of the RAT" report, noting Cerberus had taken over from Anubis as the dominant rented banking malware.

July 2020: Avast discovered a Cerberus dropper on Google Play disguised as "Calculadora de Moneda," a Spanish currency converter app with 10,000+ downloads.

July 2020: The failed auction. Source code offered for $50,000-$100,000 after the team dissolved.

August 2020: ThreatFabric published "Alien: the story of Cerberus' demise", documenting the project's collapse and the emergence of Alien as the first Cerberus fork.

September 2020: Full source code leaked on underground forums. Kaspersky reported an immediate surge in infections across Russia and Europe as new actors began deploying the freely available code.

October 2020 onward: The post-leak ecosystem. Cerberus source became the foundation for Ermac (2021), Hook (2023), and numerous unattributed variants that continue to surface. Cyble tracked campaigns like "ErrorFather" still deploying Cerberus-derived code as late as 2024, incorporating Domain Generation Algorithms (DGA) and updated obfuscation on top of the original codebase.

References

• ThreatFabric - Cerberus: A new banking Trojan from the underworld (June 2019)
• ThreatFabric - 2020: Year of the RAT (January 2020)
• Avast - Cerberus dropper on Google Play (July 2020)
• ThreatFabric - Alien: the story of Cerberus' demise (August 2020)
• Security Affairs - Cerberus Android trojan auction (July 2020)
• Security Affairs - Cerberus source code leaked (September 2020)
• Kaspersky - The rise of Cerberus
• Bleeping Computer - Cerberus can bypass 2FA (February 2020)
• Cyble - ErrorFather's deployment of Cerberus (2024)