Skip to content

S0480 Cerberus

Cerberus is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of Cerberus claim was used in private operations for two years.1

Item Value
ID S0480
Associated Names
Version 1.1
Created 26 June 2020
Last Modified 11 September 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1432 Access Contact List Cerberus can obtain the device’s contact list.1
mobile T1418 Application Discovery Cerberus can obtain a list of installed applications.1
mobile T1412 Capture SMS Messages Cerberus can collect SMS messages from a device.1
mobile T1476 Deliver Malicious App via Other Means Cerberus has been delivered to the device via websites that prompt the user to “[…] install Adobe Flash Player” and then downloads the malicious APK to the device.3
mobile T1407 Download New Code at Runtime Cerberus can update the malicious payload module on command.1
mobile T1523 Evade Analysis Environment Cerberus avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.1
mobile T1417 Input Capture Cerberus can record keystrokes.1
mobile T1516 Input Injection Cerberus can inject input to grant itself additional permissions without user interaction and to prevent application removal.12
mobile T1411 Input Prompt Cerberus can generate fake notifications and launch overlay attacks against attacker-specified applications.1
mobile T1478 Install Insecure or Malicious Configuration Cerberus disables Google Play Protect to prevent its discovery and deletion in the future.1
mobile T1430 Location Tracking Cerberus can collect the device’s location.1
mobile T1444 Masquerade as Legitimate Application Cerberus has pretended to be an Adobe Flash Player installer.3
mobile T1406 Obfuscated Files or Information Cerberus uses standard payload and string obfuscation techniques.1
mobile T1582 SMS Control Cerberus can send SMS messages from a device.1
mobile T1437 Standard Application Layer Protocol Cerberus communicates with the C2 server using HTTP.2
mobile T1508 Suppress Application Icon Cerberus hides its icon from the application drawer after being launched for the first time.1
mobile T1426 System Information Discovery Cerberus can collect device information, such as the default SMS app and device locale.12
mobile T1509 Uncommonly Used Port Cerberus communicates with the C2 over port 8888.2
mobile T1576 Uninstall Malicious Application Cerberus can uninstall itself from a device on command.1


Back to top