Incident handling

An advertisement for the malicious Fitness Trainer application was purchased on the Google network. It was displayed in other applications, including a calculator for calculating the body mass index (BMI) used by the bank's client. By clicking on the advertising link, the bank customer was transferred to the Google Play store from where he downloaded the training application. After its installation, a message box appeared informing about the requirement to grant additional permissions to the application. Permitting them meant authorization to control the phone. As a result, the targeted malicious application with the same name Fitness Trainer, which is Cerberus malware, was downloaded and launched automatically. Again, the client only had to grant additional rights. The application was running in the background, and when the client ran the original banking application, the Cerberus malware displayed an overlay imitating the banking login panel. By entering the data, the customer passed them on to cybercriminals who, having total control over the phone, could intercept SMS messages with authorization codes. Thus, the bank's customer was robbed of the funds accumulated on the account. The client claimed the bank, which commissioned PREBYTES experts to examine the client's device remotely.

The PREBYTES analyst contacted the bank's client. By guiding him through the entire process, we obtained data for analysis from the incident's device. In this way, it was possible to determine that the client's unauthorized transaction resulted from downloading malicious software. The detection of the threat made it possible to establish the incident path described above. The occurence was concluded with a report describing the event, including device data and analysis results.