Skip to content

S0480 Cerberus

Cerberus is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of Cerberus claim was used in private operations for two years.1

Item Value
ID S0480
Associated Names
Version 1.1
Created 26 June 2020
Last Modified 11 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols Cerberus communicates with the C2 server using HTTP.2
mobile T1407 Download New Code at Runtime Cerberus can update the malicious payload module on command.1
mobile T1628 Hide Artifacts -
mobile T1628.001 Suppress Application Icon Cerberus hides its icon from the application drawer after being launched for the first time.1
mobile T1629 Impair Defenses -
mobile T1629.003 Disable or Modify Tools Cerberus disables Google Play Protect to prevent its discovery and deletion in the future.1
mobile T1630 Indicator Removal on Host -
mobile T1630.001 Uninstall Malicious Application Cerberus can uninstall itself from a device on command.1
mobile T1417 Input Capture -
mobile T1417.001 Keylogging Cerberus can record keystrokes.1
mobile T1417.002 GUI Input Capture Cerberus can generate fake notifications and launch overlay attacks against attacker-specified applications.1
mobile T1516 Input Injection Cerberus can inject input to grant itself additional permissions without user interaction and to prevent application removal.12
mobile T1430 Location Tracking Cerberus can collect the device’s location.1
mobile T1509 Non-Standard Port Cerberus communicates with the C2 using HTTP requests over port 8888.2
mobile T1406 Obfuscated Files or Information Cerberus uses standard payload and string obfuscation techniques.1
mobile T1636 Protected User Data -
mobile T1636.003 Contact List Cerberus can obtain the device’s contact list.1
mobile T1636.004 SMS Messages Cerberus can collect SMS messages from a device.1
mobile T1582 SMS Control Cerberus can send SMS messages from a device.1
mobile T1418 Software Discovery Cerberus can obtain a list of installed applications.1
mobile T1426 System Information Discovery Cerberus can collect device information, such as the default SMS app and device locale.12
mobile T1633 Virtualization/Sandbox Evasion -
mobile T1633.001 System Checks Cerberus avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.1