A threat actor managed to compromise more than 75% of the devices within a company by distributing their malware through a mobile device management (MDM) server, Check Point reports.
As part of the attack, cybercriminals were distributing a new variant of the Cerberus Android malware that was designed to collect large amounts of sensitive data and exfiltrate it to a remote command and control (C&C) server. The victim was described as a “multinational conglomerate” and researchers believe the attack was targeted.
First identified on February 18, the attack involved the installation of two malicious applications onto the organization’s devices within a short period of time. This was possible because the attackers breached the target’s MDM server and abused its remote app installation features to install malware.
The Cerberus banking Trojan used in this attack is a known Malware-as-a-Service (Maas) that has Mobile Remote Access Trojan (MRAT) capabilities. It can log keystrokes on the device and can steal credentials, Google Authenticator data, and received SMS messages (2FA included). Attackers can use it to control the device remotely via TeamViewer.
Once installed, the malware displays a window that masquerades as an update for the accessibility service. Once the user accepts the update, the threat can leverage the accessibility service when needed, to bypass user interaction.
Next, a receiver on various events is registered, so that the app can start the execution of the malicious flow when triggered. After making the initial contact with the C&C server, the malware receives a list of commands to perform.
The main module of the threat can steal Google authenticator credentials, Gmail passwords and phone unlocking patterns, sends out a list of files and installed applications, and can also upload files if requested. It can also prevent attempts to uninstall TeamViewer, which provides attackers with remote control capabilities.
For persistence, the malware leverages admin privileges, and can prevent uninstallation attempts by automatically closing the App Detail page. It also disables Google Play Protect to prevent detection and removal.
A second module (payload), designed mainly with data and credential stealing capabilities, can collect all contacts, SMSs, and installed applications, and send the data to the C&C. Moreover, the module can send SMS messages, make calls, send USSD requests, display notifications, install or uninstall applications, and open popup activities with URLs.
According to Check Point, the malware performed its data stealing activities on all of the unprotected devices that were compromised, meaning that any credentials used there were stolen. If any of these unprotected devices was used by an administrator to access corporate resources using their credentials, the attackers received these credentials.
Due to the extent of compromise and the malware’s capabilities, the victim organization decided to factory-reset all devices.
“This campaign demonstrates the importance of understanding the difference between managing and securing mobile devices. While MDM offers an easy way to manage those devices, security cannot be ignored. Mobile devices are an integral part of the way we work, how we communicate, and how our businesses operate. They need to be protected as any other endpoint as they offer a tempting target,” Check Point concludes.
Related: Mobile Payment Fraud on the Rise