A new variant of the Cerebrus Android Trojan has been discovered with dangerous spyware capabilities. Enterprise Mobility Management (EMM) stakeholders are warned to remain vigilant and prevent being exploited by this Trojan.

Cerebrus was detected last year and was classified as a standard banking Trojan. However, the new variant that was recently discovered this month was observed to have sophisticated information harvesting capabilities along with the ability to remotely run TeamViewer on Samsung devices.

Cerebrus possesses sophisticated information harvesting capabilities

Researchers also pointed out that the Trojan possessed Mobile Remote Access Trojan (MRAT) capabilities. This enabled the malware to log all keystrokes on the device including user credentials, Google Authenticator data, fingerprint data and all texts received, including for two-factor authentication.  The information is then uploaded to a remote command & control (C&C) server.

The variant was discovered when it was targeting a multinational conglomerate and was distributed through the company’s Mobile Device Manager (MDM) server. It infected over 75% of the company’s devices.

Once Cerebrus is installed on a device, it appears as a window requiring an Accessibility services update. The window keeps appearing even if it dismissed. Once the user clicks on accept, the malware uses the accessibility service to access menu options and can then bypass all user interaction.

Ability to log keystrokes and run TeamViewer remotely

What makes this malware so dangerous is its sophisticated spyware attributes. The malware can leverage the accessibility service to download highly confidential user data such as Google authenticator credentials, Gmail passwords and phone unlocking patterns. All this information, including a list of files and installed applications, all user keystrokes, is uploaded to a remote command & control server. On the request of this remote server, specific files can also be uploaded on the device.

On Samsung devices, Cerebrus goes one step further with the ability to run TeamViewer, a remote access application, while keeping the device unlocked. The malware uses the Samsung KNOX functionality to automatically grant permissions and hence opens up the device to be remotely used by a malicious threat actor. The malware also blocks attempts to uninstall TeamViewer while preventing users from accessing the application itself.

Investigations found that the malware had spread extremely quickly by compromising the Mobile Device Management (MDM) server as an attack vector. This attack has brought into prominence the importance of maintaining and managing a secure MDM system, especially at a time like this when the COVID-19 pandemic has forced many employers to mandate remote working for their employees.

The Seqrite Advantage

The Cerebrus spyware has successfully helped in distinguishing the otherwise grey area into black and white, that of managing and securing devices— while device management includes configuring policies, settings, applications etc., device security exclusively concentrates on protecting the device from malware and other forms of cyberattacks. Most EMM suites, typically focus a lot more on managing devices than on securing them.

Seqrite’s EMM suite though provides best in class device management features complmented with security features (like Anti-virus) to eradicate the threat of  advanced malware such as Cerebrus.

Specific to security, Seqrite’s EMM products, the mSuite and Workspace are already equipped with capabilities that protect your organization from advanced threats such as the Cerebrus malware. The suite comes pre-equipped with cutting-edge modules such as a secured container, anti-malware, web security and scheduled scans ensuring the security of your corporate mobile devices.

Mentioned below are advanced modules of the mSuite and Workspace that facilitate seamless Enterprise Mobility Management experience –

mSuite

Seqrite’s mSuite provides an Enterprise Mobility Management (EMM) solution which offers both a cloud as well as an on-premise offering. Powered by GoDeep.Ai, Seqrite’s Artificial Intelligence platform, mSuite offers enterprises the opportunity to mobilize their workforce with the flexibility and control to secure company data on any device. Best-in-class Anti-malware keeps Android devices safe from Viruses, Trojans, Ransomware, Fake apps, Malicious apps, etc.

The App Management feature allows seamless management of applications on company devices while Data Monitoring & Management features help enterprises to define digital boundaries and enhance device security with multiple default policies that can be customized for compliance.

Workspace

Along with mSuite, Seqrite Workspace also offers a great solution for organizations to protect their data in a Bring Your Own Device (BYOD) environment. Workspace enables this by creating a virtual workspace on employee-owned devices which prevents data leaks and establishes boundaries between personal and organizational data.