The threat group that had been operating the Cerberus Android banking trojan has begun auctioning their source code, administrative materials, as well as their entire customer base for a hefty starting bid of $50,000 USD or a flat price of $100,000 USD to bypass the auction. Cerberus is an Android malware family with a focus on banking credential theft. It also has some fairly unique features, such as its ability to detect device movement to indicate if the app was running on a real phone or being tested by an automated sandbox. The group had been renting access to the malware for $12,000 per year. According to the group selling the source code, the operation currently generates about $10,000 per month and has 24 active clients. If both of those claimed numbers are correct, some clients must have negotiated a discounted rate. With a high price tag and all the data necessary to keep the operation running, it seems the group is hoping to attract sophisticated actors with the ability to continue the malware’s operation.
Some other users of the criminal forum have questioned the group’s motives for selling the malware, citing reports that it has been plagued by bugs and that it is difficult to maintain, requiring constant tuning to avoid being detected. As Cerberus typically hides in legitimate-looking apps downloaded from third- party Android marketplaces, Binary Defense recommends that Android owners only install apps from trusted sources such as the Google Play store, install an anti-virus on their Android devices, and set it to scan the device frequently. Malwarebytes, a well-known computer antivirus company also has a security solution that can detect malicious functionality in apps for mobile devices.