Cerberus malware is deployed and distributed after compromising a company’s MDM server

Cyber criminals have breached into 75% of multinational conglomerate’s android devices using the Cerberus banking Trojan by breaching into Mobile Device Manager (MDM) server of the company. 

MDM is otherwise known as Enterprise Mobility Management Solution which assists organizations in managing the remote and mobile devices, say it be iOS, Android, macOS, or Windows. This solution usually comes with a server like any other product and it will be used to enroll in the corporate devices, to manage and secure them, allowing technicians to deploy applications, profiles, secure emails, conditional exchange access, content management and more.

What is Cerberus?

Cerberus is a Banking Trojan that was discovered in June 2019 is a MaaS and being used by the clients after purchasing them to drop payloads, take over and manipulate the devices. If the Cerberus malware is successfully deployed into a device, it can steal a wide range of business sensitive information like SMS, call logs, device credentials, two-factor authentication codes, device lock patterns, fetch information about installed apps and log keystokes. 

As soon as the hackers had breached into the company’s MDM servers, they deployed the Cerberus to a substantial amount of android devices as per Check Point Security researchers report. Furthermore, the attackers had installed two suspicious apps in number of devices using the MDM server, and after identifying the presence of this malicious application, the company has decided to factory reset all the android devices that had been enrolled with the compromised MDM server.

After successfully establishing itself within the device, the malware requests access for android accessibility service, asking the users to activate the same. Once approved, the malware is now more like a Thanos with all the infinity stones, it can navigate menus, make clicks, and totally bypass user dependency.

Cerberus’s overwhelming control over the devices

Cerberus is capable of Remote Access Trojan behavior, allowing cyber criminals to remotely control the infected device, and is also capable of overlay, allowing it to capture passwords, patterns, PINs, and even the two-factor authentication security. Furthermore, this malware can make calls behalf of the user, send SMS and USSD requests, install/uninstall applications and more.

Cerberus will continue to block the users privilege to uninstall Team Viewer and meanwhile gains administrative privileges as well. Additionally, it also prevents its installation procedures by not displaying the app details page. Cerberus ensures its deployment is safe by using Google Play Protect and sustaining its presence in the device.With the deployment of Cerberus, technicians will no longer be able to perform mobile device management operations on their managed devices. If you’re interested in understanding the malware further by studying the android apps’ package names, please check Check Point’s report on the same.