Cerberus – Android Banking Malware Bypass 2FA To Steal 200+ Mobile Apps Credentials

Recently, the security researchers have found some new strain of Cerberus Android malware that arrives with a broad array of features that allows it to steal all credentials from nearly 226 applications in various countries, including India as well.

This new version of the malware was named as Alien, which has targeted messaging apps like Gmail, Facebook, Telegram, Twitter, Snapchat, and WhatsApp. Apart from this, it also includes banking apps like Bank of America Mobile Banking and Capital One Mobile and many more.


Cerberus is one of the most successful Android banking Trojan services, or we can also say it is MaaS that means malware as a service. Right now, the whole world is dealing with a serious pandemic situation, and that’s why some issues are related to the shortcomings of the staff.

Due to this shortcoming issues of staff within the threat actor’s technical team, the architectural and technical problem with the Trojan hold out to be unsolved, and long enough for Google Play Protect to identify all associated samples on the place of all infected devices and it results to wretched customers.


Alien is a RAT that has several commonly used Android malware abilities, including the capability to start overlay attacks, manage and steal SMS messages, and build contact lists. Not only this, but it also can administer keylogging, location-collecting, and many more.  

Moreover, Alien has various more advanced techniques, including a notification sniffer that enables it to access all new updates on infected devices. The notifications also include 2FA codes, which enable the malware to bypass 2FA security measures.

Link to Cerberus

Cerberus initially emerged last August on underground meetings, which also offers a MaaS rental model, and at that time, Cerberus was addressed as a standard banking trojan. The malware was disclosed in an ill-disposed Android app on the Google Play app marketplace, which had nearly 10,000 downloads recently, in July.

However, on August 10, the malware author split the source code of the Trojan in public. And it seems that the new Alien malware was run separately and was a little bit different from the Cerberus. The biggest difference between the two is the Alien’s 2FA-stealing method, Threat Fabric researchers said.

Features of Alien

The Alien has several features that we have mentioned below:

  • Overlaying: Dynamic (Local injects obtained from C2)
  • Keylogging
  • Remote access
  • SMS harvesting: SMS listing
  • SMS harvesting: SMS forwarding
  • Device info collection
  • Contact list collection
  • Application listing
  • Location collection
  • Overlaying: Targets list update
  • SMS: Sending
  • Calls: USSD request making
  • Calls: Call forwarding
  • Remote actions: App installing
  • Remote actions: App starting
  • Remote actions: App removal
  • Remote actions: Showing arbitrary web pages
  • Remote actions: Screen-locking
  • Notifications: Push notifications
  • C2 Resilience: Auxiliary C2 list
  • Self-protection: Hiding the App icon
  • Self-protection: Preventing removal
  • Self-protection: Emulation-detection
  • Architecture: Modular

Cerberus Targets

According to all respective hackers that are hiring, the Trojan can add on their personalized targets to their botnet. Alien is a Trojan that is actively targeting all the institutions all over the world, and that’s why Alien has mostly targeted institutions from:-

  • Spain
  • Turkey
  • Germany
  • US
  • Italy
  • France
  • Poland
  • Australia
  • United Kingdom
  • India
  • Japan
  • China
  • Hong Kong
  • Ireland
  • Switzerland

According to the knowledge of Trojan, Alien malware is a fork of the first variant of Cerberus (v1), which are active since early January 2020 and that are rented out but at the same time as Cerberus. Moreover, Cerberus being knocked off, its customers seem to be shifting to Alien and has become the most critical new MaaS for all hackers.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.