The cybersecurity field is quite busy, and there is related news constantly. As security systems become more efficient, malicious actors try to adapt by developing more sophisticated methods to bypass them. Now, researchers at Cyble have discovered a “new” Trojan with advanced stealth capabilities targeting Android banking apps.
The Trojan is called ErrorFather and is mainly based on the code of Cerberus, a banking Trojan that emerged in 2019. Cerberus uses methods such as VNC (remote control of devices), keylogging (capturing the characters you type), and overlay attacks (malicious websites disguised as a legitimate app). However, ErrorFather adds modifications to the code that make it practically undetectable by current methods.
ErrorFather, the undetectable Trojan that targets Android banking apps
ErrorFather uses a multi-staged dropper approach to increase its effectiveness and avoid detection. If you’re not aware, dropper malware works by “dropping” malicious executable files (known as “payloads”) on the targeted device. To do so, they exploit OS-level vulnerabilities that compromise the device. In essence, the dropper ensures the fulfillment of necessary conditions for the deployment of the final payload.
There’s a main dropper APK that in turn contains a second-stage APK called “final-signed.apk.” The Trojan stores this second-stage dropper in Assets, a native Android library, making it difficult to detect as malware. Once “final-signed.apk” is in Assets, the main APK installs it on the device using a session-based technique. This means that your settings for restricting the installation of external APKs will not be effective.
The second-stage dropper does not directly implement the manifest file that requests dangerous permissions and services, thereby enhancing the Trojan’s undetectability. The final-signed.apk contains an encrypted file that packs the code. The latter’s task is to execute “libmcfae.so” (a native file) to initiate the decryption process of the final payload (“decrypted.dex”).
As you can see, the Trojan uses a sophisticated, multi-layered structure. The Cyble team submitted it to the VirusTotal platform, and no antivirus engine was able to detect it. This is quite interesting considering that the Trojan works based on code dating back to 2019 and has already been detected.
How does the trojan work once installed?
After installing “final-signed.apk” and successfully executing the final payload, the Trojan communicates with a Telegram bot. The bot receives the device’s model, brand, and API version. It also initiates malicious processes such as keylogging, overlay attacks, VNC, and PII (Personally Identifiable Information) collection. Additionally, it runs a domain generation algorithm (DGA) to create a command and control (C&C) server.
The DGA algorithm is key to keeping the Trojan functional. Essentially, it ensures that it remains active even in the event of a failure of the main servers by establishing up to four additional C&C servers to sustain communication.
Overlay attacks operate in the same manner as the original Cerberus banking Trojan. First, it obtains the list of installed apps and sends it to remote servers. The servers will look for banking apps from which they can get your credentials. After detecting potential targets, the remote server “tells” the Trojan which ones they are. Once you access the targeted banking apps, the Trojan uses HTML web injection to display a fake phishing page. If you enter your credentials on the fake page, the malicious party will receive them.
Your banking credentials are not the only potential targets for the Trojan. It will also try to steal your credit card details. The latter is an easier way to cause financial harm, as bank accounts protected by additional login security barriers (like 2FA) could still prevent the attacker from accessing them.
A campaign to boost the reach of the Android banking trojan could be underway
The original Cerberus Trojan targeted over 450 Android banking and social media apps. Its effectiveness has led to “forks” such as Alien, ERMAC, Phoenix, and ErrorFather. The Cyble team detected the first sample of ErrorFather in mid-September 2024. However, there was a noticeable increase during the first week of October 2024. This suggests that there’s an ongoing campaign to increase the reach of ErrorFather.
What you can do to avoid being a victim of similar attacks
While the Cerberus-based ErrorFather Android banking Trojan uses fairly sophisticated methods, you can avoid falling victim by following basic security tips. This includes installing apps only from the Play Store, enabling 2FA on your bank accounts and other sensitive accounts (like your Google account), and avoiding opening links received via SMS or messaging apps. You should also avoid granting sensitive permissions to unknown apps, especially if they come from unofficial sources. Lastly, keeping your device and apps updated can also help.
