A new malicious campaign, dubbed "ErrorFather," has been discovered, deploying the Cerberus Android banking Trojan through fake Chrome and Play Store apps. According to Cyble Research and Intelligence Labs, this sophisticated multi-stage attack has been ramping up since mid-September 2024, targeting specific victims with advanced techniques. The campaign is ongoing, posing a serious threat to Android users.

Key events:

• Cerberus Banking Trojan: Cerberus is an Android Trojan designed to steal login credentials, credit card details, and personal information by disguising itself as legitimate apps.
• Evolution of Cerberus: Since its appearance in 2019, Cerberus has spawned several variants, including Alien, ERMAC, and Phoenix, each repurposing its codebase to target financial and social media apps.
• ErrorFather Campaign: The ErrorFather campaign uses a modified version of Cerberus and employs a complex multi-stage infection process, making it difficult to detect or remove.
• Advanced Techniques: ErrorFather uses keylogging, overlay attacks, Virtual Network Computing (VNC), and a domain generation algorithm (DGA) to communicate with command-and-control (C2) servers, ensuring the malware remains active even if primary servers are taken down.
• Ongoing Campaign: The ErrorFather malware is still operational, and its C2 server remains active, indicating that the threat is far from over.
• Use of Telegram: The campaign communicates via a Telegram bot named 'ErrorFather,' adding a layer of sophistication to the attack.

The resurgence of the Cerberus Trojan in the form of the ErrorFather campaign highlights the persistent nature of malware threats. Despite Cerberus being an older malware strain, its ability to evade detection and be continuously retooled into new variants like Alien and Phoenix is alarming. This campaign shows that older, well-known threats can still pose serious risks when repurposed with modern techniques.

The multi-stage infection process used in the ErrorFather campaign, coupled with sophisticated communication methods like Telegram bots and DGA, illustrates how attackers are becoming more advanced in ensuring their malware remains operational. The constant adaptation of these threats means that even highly secure environments must remain vigilant against evolving cyberattacks.

Recommendations: To protect against campaigns like ErrorFather, users and businesses should take the following precautions:



• Stick to Official App Stores: Only download apps from trusted sources like the Google Play Store or iOS App Store to minimise the risk of installing malicious software.
• Use Reputable Security Software: Install trusted antivirus and internet security packages on all devices, including PCs, laptops, and mobile phones, to defend against known and emerging threats.
• Enable Multi-Factor Authentication (MFA): MFA provides an additional layer of security, making it harder for attackers to gain access to your accounts.
• Use Biometric Security: Where possible, enable fingerprint or facial recognition on your mobile devices for added security.
• Activate Google Play Protect: Ensure Google Play Protect is turned on to help identify and block harmful apps on Android devices.

Source and further reading.

Poireault, K. . (2024, October 15). Cerberus Android Banking Trojan deployed in new Multi-Stage Malicious campaign. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/cerberus-android-banking-trojan