Rewterz Threat Alert – Cerberus banking Trojan Targets Android Devices

Tuesday, November 5, 2019



Analysis Summary

Another malware campaign is found targeting Android mobile device users. The malicious application, impersonating the InPost brand, turned out to be a banking Trojan recognized as Cerberus.

The distribution of malicious code was based on the sending of SMS messages with information about tracking the shipment via a mobile application, along with a link to download it. One of the basic functions of the bot was stealing login data for selected applications. Malicious software after granting permission to use accessibility services carried out self-improvement of its own rights. The Trojan claimed to include the ability to read the contact list, initiate USSD calls, became the administrator of the device and the default application for handling SMS. The authors intended the Trojan to allow e.g. disabling Google Play Protect, intercepting SMS communication, launching and removing installed applications, opening URLs, displaying fake notifications from banking applications, avoiding analysis through the use of anti-emulation techniques, and in some cases also stealing data using a keylogger.

User must download a file from the link in an SMS and disable the block installation of applications outside the official Google Play store. By using the screen overlay technique (overlay), the malicious tool steals login information for popular applications. Overlays are downloaded from an external server while the Trojan is running – the condition is an application installed on the device, on which criminals have an overlay prepared.


  • Credential Theft
  • Privilege Escalation
  • Device Takeover
  • Keylogging

Indicators of Compromise

Domain Name

badabinglalaland[.]com inpost24[.]tk m[.]in










  • Block the threat indicators at their respective controls.
  • Do not respond to text messages with shipment information containing URLs.
  • Make sure that ‘block installation of applications outside the official Google Play store’ option is enabled.

Data Sheets

Corporate Brochure

Our Story



Managed Security

Upcoming Rewterz Trainings/Events

Rewterz News

  • 23, February 2020 Rewterz Threat Advisory – CVE-2019-16028 – Cisco Firepower Management Center
  • 17, February 2020 Rewterz Threat Alert – Satan ransomware rebrands as 5ss5c ransomware
  • 3, February 2020 Rewterz Threat Alert – Iranian Campaign Tailored to US Companies Introduces TONEDEAF 2.0
  • 3, February 2020 Rewterz Threat Alert – Spamhaus Phishing Scam Delivers Ursnif Malware

Copyright © Rewterz. All rights reserved.