Skip to main content
Mallory
Back to malware
Malware

Cerberus

Cerberus is an Android banking trojan. The provided content describes it as a well-known mobile banker that has been rented and sold in underground forums, with reporting that its maintainer auctioned the full project including source code, APK, module, admin panel, servers, scripts, and customer contacts. Cerberus was promoted as a more reliable alternative to Anubis-based bankers, and ThreatFabric reported it was not a clone of Anubis. Its source code was later leaked and subsequently reused by newer Android malware such as Perseus, which was explicitly described as being built on leaked Cerberus code.

High-confidence capabilities mentioned in the content include collecting SMS messages, sending SMS messages, obtaining the device contact list, collecting device information such as the default SMS application and device locale, and communicating with command-and-control infrastructure over HTTP. Additional reporting in the content states Cerberus can spoof banking notifications, prompt victims for banking credentials, steal two-factor authentication codes, run installed apps, perform keylogging, and record audio. These capabilities are described as enabling interception of OTPs and bypass of MFA for unauthorized transactions.

The malware is associated with Android-focused financial fraud and credential theft. The content links Cerberus to campaigns delivered through trojanized Android installers and smishing, where victims are lured into downloading malicious installers that deploy Cerberus and other malware. Another report cited in the content states ErrTraffic/ClickFix campaigns can deliver Cerberus as the Android payload. The content also notes broader Android banking trojan activity involving Cerberus in regions such as Brazil, Turkey, Spain, Italy, and Southeast Asia, though specific Cerberus-only targeting details are limited.

Cerberus is repeatedly referenced as a prolific Android malware family whose leaked code influenced successor malware. It is also mentioned in relation to campaigns and malware ecosystems involving Android credential theft, interception of authentication codes, and abuse of contact lists. No single set of IoCs is provided in the content beyond behavioral indicators such as HTTP C2 communications and theft of SMS, contacts, device metadata, banking credentials, and 2FA codes.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence2
TacticInitial Access

"A new wave of smishing attacks is exploiting user trust by embedding well-known brand names such as FedEx and Microsoft into deceptive URLs and group text messages"

Execution

1 technique
T1204.002Malicious FileEvidence2
TacticExecution

ThreatFabric saw a spike in malicious unofficial streaming apps... These apps are not on Google Play, so installing one means clicking past the warnings that would normally block it.

Privilege Escalation

1 technique
T1548.002Bypass User Account ControlEvidence1
TacticPrivilege Escalation

“As is the case with most bankers, it relies heavily on abusing the Accessibility Service.”

Stealth

2 techniques
T1036MasqueradingEvidence1
TacticStealth

Cerberus bot has extensive functionality, being able to spoof notifications from the banking service present on the device to prompt the victim to type in login credentials

T1497Virtualization/Sandbox EvasionEvidence1
TacticsStealthDiscovery

The malware stands on its code that can detect movement of the infected device to determine a real system and avoid running in a sandbox environment.

Credential Access

3 techniques
T1056Input CaptureEvidence1
TacticsCredential AccessCollection

Cerberus bot has extensive functionality, being able to spoof notifications from the banking service present on the device to prompt the victim to type in login credentials, and steal two-factor authentication codes

T1111Multi-Factor Authentication InterceptionEvidence1
TacticCredential Access

"...intercepting authentication codes"

T1555Credentials from Password StoresEvidence2
TacticCredential Access

"...capable of stealing credentials"

Discovery

1 technique
T1497Virtualization/Sandbox EvasionEvidence1
TacticsStealthDiscovery

The malware stands on its code that can detect movement of the infected device to determine a real system and avoid running in a sandbox environment.

Collection

1 technique
T1056Input CaptureEvidence1
TacticsCredential AccessCollection

Cerberus bot has extensive functionality, being able to spoof notifications from the banking service present on the device to prompt the victim to type in login credentials, and steal two-factor authentication codes

Command and Control

2 techniques
T1071.001Web ProtocolsEvidence2
TacticCommand and Control

AbstractEmu can use HTTP to communicate with the C2 server; AhRat can communicate with the C2 using HTTPS requests; BRATA can use both HTTP and WebSockets to communicate with the C2 server; LightSpy has used both HTTPS and Websockets to communicate with the C2.

T1105Ingress Tool TransferEvidence1
TacticCommand and Control

Most banking trojans are modular in design. After initial infection, they can download additional functionality tailored to the victim, enabling credential theft, session hijacking, or remote access.

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app8 months ago
uri●●●●●●●●●●●●View more in app5 years ago
ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
the hacker newsNews
Jun 5, 2026
FIFA World Cup 2026 Scams Are Already Live: Fake Sites, Banking Malware, and Stolen Logins

Older Android banking trojan whose leaked source code was used as the basis for Perseus.

Read more
scworldNews
Mar 20, 2026
Perseus Android malware evolves from Cerberus and Phoenix for device takeover | brief | SC Media

Referenced as a previous Android threat family that Perseus builds upon.

Read more
cyber security newsNews
Mar 20, 2026
Perseus Android Malware Steals User Notes and Enables Full Device Takeover

Referenced as a predecessor Android banking trojan whose leaked source code was used in the development of Perseus.

Read more
the record mediaNews
Mar 19, 2026
New Android malware hiding in streaming apps to spy on users’ personal notes | The Record from Recorded Future News

Older Android banking trojan malware family whose leaked source code was used as a basis for Perseus.

Read more
+16 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.