New Cerberus Campaign Impersonates Amazon

Much of the world has already begun to enter the "re-opening" phase, and some parts have already entered the so-called "new normal", in which the idea is that we can carry out practically the same activities as before, but with greater caution in order to avoid new outbreaks.


Along with this "re-opening" in the real world, it seems that a "re-opening" is also beginning to take place in the malware world.

In previous posts we have analyzed how malware developers are able to use a situation as complicated as a pandemic to infect a greater number of users thanks to campaigns related to the situation.

In this analysis, we saw how practically all known types of malware have used COVID-19 in their March and May campaigns to trick their victims and get them to install malicious apps on their devices.

However, in June we began to see other variants of these campaigns, but whose operation was the same as the campaigns commonly used by this malware: fake Flash Player apps. But now, in this "return to the new normal" for the world of malware distribution, we are seeing a new campaign used for the distribution of the Cerberus bank malware for Android.

It has drawn attention for not being a regular Flash Player campaign, since instead the developers have chosen to impersonate Amazon and offer a fake app for customers.


Usual Cerberus Campaigns

Cerberus, just like most of the bank malware for Android, frequently uses fake apps to make the user believe that the app is something it's not, and what it does is spy on the user's activity and steal their data, including their bank credentials and other popular services.

The distribution campaigns in the Android bankers revolve around Flash Player, which is the popular Adobe player chosen by attackers to make their victims end up installing the malicious app.


Cerberus campaigns using fake Flash Player apps

Although it is most common to use the Adobe player, other brands have also been used to distribute malware, such as telecommunications apps that offer data bundles, antivirus software or Google Play updates, the latter of which is the most common case of impersonation, after the Flash Player.



Amazon Campaign

After the lockdown and fad of COVID-19 related campaigns and radar apps, the attackers behind Cerberus appear to be working on new distribution campaigns that look beyond the usual Flash Player or the use of fake Google Play updates.

In mid-June, a new Cerberus campaign was detected that, as a novelty, introduced a different brand for the distribution of the trojan, trying to increase the number of infected users as much as possible.


Fake website used for distribution

In the previous image, we can see that in this campaign, a fake Amazon website was used in which the user is notified that a new app exists, and thus the download of the malicious app begins.

The icon and title of the app impersonate the Amazon application, and as indicated by the fake website, it may appear to be the legitimate application. However, this is not the case, and once installed it asks the user to provide accessibility permissions to thus deploy the malicious functionality and initiate the data theft.


Window requesting accessibility permissions to be provided

At a technical level, the sample does not include any new developments, it maintains the usual functionality and the list of affected entities remains unchanged, everything is the same as that described in our Cerberus analysis and in our subsequent update on the new version in March.


In this new sample, RC4 encryption continues to be used for communication with the control server and for text string obfuscation, thus making it difficult to analyze the samples. It also continues to use the same malicious code decryption/unpacking strategy, which is included in a fake JSON file, which is actually a code DEX file, which is decrypted with RC4 and loaded at runtime.


Fake JSON file encrypted with malicious code. String encryption



As we can see, attackers are constantly looking for new ways to infect their victims.

During the lockdown, malicious apps related to COVID-19 were used to try to infect as many users as possible. Now that things are starting to get back to normal and the biological virus is losing strength, attackers are looking for new ways to distribute their creations.

In this case, the surprise came from the Cerberus bank trojan for Android, which does not include any new developments related to its functionalities, but rather the new campaign that attackers have used to distribute the sample.

Unlike the normal campaigns that used the Adobe Flash Player, the online shopping giant Amazon was used for the first time in this campaign. The malware is distributed as if it were a legitimate update to the app, through a web with the same appearance as the official Amazon website.

Posted by David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.



bugFraud detects a phishing redirect or overlay (cloned page) attack from the moment a customer clicks on a link or has their navigation redirected. In addition to preventing customers from becoming victims bugFraud also alerts the organization so mitigating actions can be taken – from stepping-up login authentications, stopping the session or locking the account.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video