Introduction
The ErrorFather campaign represents a sophisticated and evolving threat in the realm of cybercrime, leveraging a modified variant of the Cerberus-based Android Banking Trojan to conduct financial fraud. This campaign, identified by Cyble Research and Intelligence Labs [5], highlights the persistent danger posed by repurposed malware and the innovative techniques employed by cybercriminals to exploit vulnerabilities in mobile applications.
Description
A sophisticated malicious campaign named ErrorFather has emerged [3] [5], utilizing a modified variant of the Cerberus-based Android Banking Trojan framework to execute financial fraud. Identified by Cyble Research and Intelligence Labs (CRIL) [5], this campaign has been active since mid-September 2024 [5], indicating a surge in targeted activities by cybercriminals. The campaign underscores the ongoing threat posed by repurposed malware [6] [7] [10], as attackers exploit leaked source code from the original Cerberus malware [10], first observed in 2019 [4] [6] [9], to create various malicious applications that masquerade as legitimate Chrome and Play Store apps.
The ErrorFather campaign employs a multi-stage dropper mechanism [1] [2], beginning with a primary APK that functions as a session-based dropper. This initial dropper communicates with a Telegram bot associated with the campaign to deliver a second-stage APK known as “final-signed.apk.” This second-stage dropper, which relies on a native library (libmcfae.so) [2], requests dangerous permissions and incorporates malicious functionalities, utilizing a multi-stage installation technique to bypass restricted settings [6]. It includes a native library responsible for decrypting and executing the final payload [7], which remains undetected by antivirus engines [7] [9]. The dropper effectively disguises itself as a legitimate application [8], delivering encrypted payloads that utilize keylogging [8], overlay attacks [2] [4] [5] [6] [7] [8] [9], and virtual network computing (VNC) for remote control.
The final payload of ErrorFather employs advanced techniques such as the collection of personally identifiable information (PII) and HTML injection, allowing the threat actor to deceive victims into entering sensitive information on fake phishing pages overlaid on legitimate applications. The malware identifies potential targets by sending a list of installed applications and overlaying fake phishing pages to capture login credentials and credit card details [2]. Additionally, a Domain Generation Algorithm (DGA) is utilized to dynamically update Command and Control (C&C) servers [8], ensuring operational continuity even if primary servers are compromised [5] [7] [9]. The C&C communication has been modified to use a dual method: first, establishing a connection with a main C&C server to receive a list of static C&C servers, and then generating dynamic domains based on the Istanbul timezone [7], which are stored in the “ConnectGates” setting [8].
The ErrorFather campaign exemplifies the sophisticated nature of current threats targeting financial and social media applications through the Accessibility service. Despite its origins [6], this modified Cerberus variant maintains significant code similarities with previous payloads [8], particularly in shared preference settings and structure [2], making it inappropriate to classify as entirely new malware [6]. The campaign effectively employs a retooled Cerberus banking Trojan [8], utilizing VNC [1] [3] [5] [7] [8] [9] [10], keylogging [2] [4] [5] [6] [7] [8] [9], and HTML injection to steal financial information while evading antivirus detection [8]. Actions performed by the malware include sending device information [9], capturing screen images through VNC [9], logging keystrokes [2] [9], sending SMS messages [9], and checking for registered users to maintain continuous control over infected devices. The ongoing activity of the C&C server indicates that the campaign remains operational, underscoring the persistent risks associated with this evolving threat.
Conclusion
The ErrorFather campaign illustrates the ongoing evolution of cyber threats, particularly in the financial sector, where attackers continuously adapt and refine their methods. To mitigate the risks associated with such threats [1], it is crucial to use official app stores [1] [4], implement strong passwords [1], enable multi-factor authentication (MFA) [1], and utilize robust security software. As cybercriminals persist in their efforts to exploit vulnerabilities, staying informed and adopting proactive security measures will be essential in safeguarding sensitive information and maintaining digital security.
References
[1] https://thenimblenerd.com/article/cerberus-strikes-again-errorfather-trojan-campaign-targets-android-users-with-a-vengeance/
[2] https://gbhackers.com/errorfather-hackers-android-attack/
[3] https://www.infosecurity-magazine.com/news/cerberus-android-banking-trojan/
[4] https://thecyberwire.com/podcasts/daily-podcast/2169/transcript
[5] https://cybermind.in/cerberus-android-banking-trojan-deployed-in-new-malicious-campaign/
[6] https://thecyberexpress.com/errorfather-android-malware-evades-security/
[7] https://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/
[8] https://cyberpress.org/hackers-are-hijacking-android-devices/
[9] https://news.backbox.org/2024/10/14/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/
[10] https://thehackernews.com/2024/10/trickmo-banking-trojan-can-now-capture.html