Serviciul Roman de Informatii


Awareness: Malware campaign to steal banking credentials
April 24, 2020

Under the circumstances of SARS-CoV-2 pandemic, a malware campaign intended to steal the banking credentials from the users' mobile devices has been identified.

The illicit action consists in circulating a text-type message that contains a new version of Cerberus Android Banker Trojan. The message is written in Romanian and it is an invitation for users to click on a link and download information about SARS-CoV-2. The message says Secret details about COVID-19! The links initiates the download of a file called File.apk that is releasing the Trojan into the mobile devices using Android operating systems, their versions ranging from 4.0 to 10. The functionalities of Cerberus Android Banker Trojan stop the Play Protect service specific to Android from detecting it, and also the user from subsequently uninstalling the application.

The main risk is that the Trojan gives illicit access to data from the banking applications. At the same time, Cerberus Android Banker Trojan can harvest data from messaging and electronic mail applications installed on the targeted device (for instance Telegram. WhatApp or Gmail) and it can also journalize all keyboard actions and ultimately enable data exfiltration.

The Trojan also enables the collection and redirection of SMSs and electronic mail; it can make or divert calls, retrieve the list of contacts and the call history and it can also track a device's location.

We recommend you to check your banking accounts in order to avoid any unauthorized access. If you have any suspicion related to a possible infection of your mobile device, follow these procedures: reset your mobile to factory settings and change the access credentials on your device and dedicated applications.

As a preventive measure and to ensure the security of your mobile devices, we advise you to avoid opening links or attachments of unknown origins.