Extracted

• • Target

    E1D863E16D0585609677790971D97A394376E1BB6A96DA221719738249669C5A.apk

  • Size

    2.0MB

  • MD5

    df2cca4519794070ad7671435a3a1e11

  • SHA1

    e3c369e86eabdba643e0a4c3f34488bc64b11789

  • SHA256

    e1d863e16d0585609677790971d97a394376e1bb6a96da221719738249669c5a

  • SHA512

    d7be25260a822fa98352cd56ca815eaecf2f6d03f7538613f0b9bb2a3cf3022e728db9321000a3ec575cfabb81011e16fe24fcb22026a9a5ad01442f4ae97278

  • SSDEEP

    49152:Klmh0ViOZW/Xmg2fPY+TaTK9kjEGUXvHcO8:ph0boXmg2fLa+9k80Z

  Score

  10^/10

  alienbotcerberusbankercollectioncredential_accessdiscoveryevasioninfostealerpersistenceratstealthtrojanexecutionimpact

  • Alienbot

    Alienbot is a fork of Cerberus banker first seen in January 2020.

    bankertrojaninfostealeralienbot

  • Cerberus

    An Android banker that is being rented to actors beginning in 2019.

    bankertrojaninfostealerevasionratcerberus

  • Cerberus payload

  • Makes use of the framework's Accessibility service

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access

  • Prevents application removal

    Application may abuse the framework's APIs to prevent removal.

    evasion

  • Removes its main activity from the application launcher

    stealthtrojanevasion

  • Checks CPU information

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery

  • Checks memory information

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery

  • Loads dropped Dex/Jar

    Runs executable file dropped to the device during analysis.

    evasion

  • Obtains sensitive information copied to the device clipboard

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact

  • Queries account information for other applications stored on the device

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection

  • Queries the mobile country code (MCC)

    discovery

  • Queries the phone number (MSISDN for GSM devices)

    discovery

  • Registers a broadcast receiver at runtime (usually for listening for system events)

    persistence

  • Requests enabling of the accessibility settings.

  • Requests disabling of battery optimizations (often used to enable hiding in the background).

    evasion

  • Schedules tasks to execute at a specified time

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  behavioral1behavioral2behavioral3