Hackers breach company’s MDM server to spread Android malware

Attackers infected more than 75% of a multinational conglomerate's managed Android devices with the Cerberus banking trojan using the company’s compromised Mobile Device Manager (MDM) server.

MDM (also known as Enterprise Mobility Management - EMM) is a mechanism used by companies of all sizes to enroll enterprise-owned devices with the same management server to make it easier to perform tasks such as delivering company-wide device configurations, deploying applications, and more.

The Cerberus banking trojan was first spotted in June 2019 and it uses a Malware-as-a-Service (MaaS) business model allowing clients who rent their services to drop their payloads, as well as configure and control devices compromised during their attacks.

Once deployed onto an Android device, Cerberus can be used by the attackers to steal a wide range of highly sensitive information including but not limited to call logs, text messages, credentials, Google Authenticator 2FA codes, phone unlocking patterns, as well as to collect info on installed apps and log keystrokes.

Company factory reset all enrolled devices

After the attackers successfully compromised the unnamed company's MDM server following a targeted attack, they used it to remotely deploying the banking trojan malware on over 75% of all managed Android devices as Check Point security researchers discovered.

This was what allowed the researchers to detect the attack after two malicious apps were installed on a large number of company devices within a very short time with the help of the breached MDM server.

To get rid of the malware and remove the attackers' ability to control the infected devices, the company decided to factor reset all devices enrolled with the compromised MDM server.

"This is the first time we have a reported incident of mobile malware distribution that uses the MDM server as an attack vector," the researchers said.

Android Accessibility Service abuse

Right after infecting a device, the malware will display a dialog camouflaged as an update for the Android Accessibility Service which will keep popping up on the screen until the victim gives in and hits the "Enable Update" button.

After it gains access to the Accessibility Service, Cerberus will later use it for clicking on menu options and to bypass user interaction.

The banking Trojan was recently upgraded with RAT functionality in February and it is now capable of stealing victims' Google Authenticator two-factor authentication (2FA) codes that provide an additional layer of security when logging into services like banks, email, messaging, and social media networks.

Cerberus also has TeamViewer-based remote access Trojan (RAT) capabilities that make it possible for its operators to have full remote control of infected devices. Additionally, it uses overlays to grab the screen-lock pattern to enable the attackers to the devices remotely.

The malware downloads a ring0.apk module which adds the ability to harvest contacts, SMS messages, and the list of installed applications and send it to the command and control server.

"This module also can perform phone-related actions such as sending specific SMS messages, making calls and sending USSD requests," the researchers found. "In addition, this module can show notifications, install or uninstall applications, and open popup activities with URLs."

Maintaining access to compromised devices

Cerberus maintains access by blocking the victims' attempts to uninstall TeamViewer and it will also gain admin privileges, further hindering the users' ability to uninstall any apps it needs to perform its malicious tasks.

The malware will also block any user attempts to remove the app by automatically closing the App Detail page when the victims try to open it.

On compromised devices, Cerberus will also disable Google Play Protect, the built-in Android malware protection for Android, by abusing the Accessibility Service, thus preventing both detection and automatic removal.

"This incident underscores the importance of distinguishing between managing and securing mobile devices.

"Managing a mobile device means installing applications, configuring settings, and applying policies on multiple devices at once," they added. "Securing a mobile device means protecting it from malware threats and attacks."

Indicators of compromised including command and control server IP addresses, the malicious Android apps' package names, and SHA256 hashes are available here.

Comments are closed.