Attackers used a multinational company’s compromised Mobile Device Manager (MDM) server to infect more than 75% of managed Android devices with the Cerberus banking trojan. MDM (also known as Enterprise Mobility Management – EMM) is a mechanism used by companies of all sizes to enroll enterprise-owned devices with the same management server to make it easier to perform tasks such as delivering company-wide device configurations, deploying applications, and more.
Once deployed onto an Android device, Cerberus can be used by the attackers to steal a wide range of highly sensitive information including but not limited to call logs, text messages, credentials, Google Authenticator 2FA codes, phone unlocking patterns, as well as to collect info on installed apps and log keystrokes. After the attackers successfully compromised the unnamed company’s MDM server following a targeted attack, they used it to remotely deploy the banking trojan malware on over 75% of all managed Android devices. This is the first time that an incident of mobile malware distribution is seen using the MDM server as an attack vector.
Right after infecting a device, the malware will display a dialog camouflaged as an update for the Android Accessibility Service which will keep popping up on the screen until the victim gives in and hits the “Enable Update” button. After it gains access to the Accessibility Service, Cerberus will later use it for clicking on menu options and to bypass user interaction to access services like banks, email, messaging, and social media networks.
Cerberus also has TeamViewer-based remote access Trojan (RAT) capabilities that make it possible for its operators to have full remote control of infected devices. Additionally, it uses overlays to grab the screen-lock pattern to enable the attackers to the devices remotely. The malware downloads a ring0.apk module which adds the ability to harvest contacts, SMS messages, and the list of installed applications and send it to the command and control server.