S0480: Cerberus
Analyst context for executives and security teams
Cerberus matters because it is an Android banking trojan with behaviors that can undermine trust in mobile devices used for finance, identity access, communications, and executive workflows. The ATT&CK relationships show a broad mobile risk pattern: credential/input capture, SMS and contact access, location tracking, runtime code download, obfuscation, hidden presence, and web-based command traffic.
Executive priority
Treat this as a mobile identity and fraud-resilience issue, not only a malware issue. Leaders should ask whether Android devices that access corporate email, banking, MFA, or sensitive apps are managed, whether risky permissions and sideloaded apps are controlled, and whether SOC/IR teams can obtain mobile evidence quickly enough during account-takeover or fraud investigations. Because MITRE provides no official detection text for this object, coverage should be proven through control validation rather than assumed.
Technical view
For SOC, detection engineering, and IR teams, validate Android-focused coverage around the related techniques: obfuscated payloads, runtime code download, keylogging or GUI input capture, software and system discovery, location access, HTTP/HTTPS command traffic including non-standard ports, accessibility-based input injection, SMS control, hidden launcher icons, security-tool modification, self-uninstall behavior, system checks, contact/SMS collection, and application masquerading. Static app review alone is a blind spot because the related behavior includes downloading new code at runtime and obfuscation.
Likely telemetry
- Android device inventory and OS/app version data from UEM/MDM or mobile security tooling
- Installed application/package inventory, package names, icons, install source, and install/uninstall events
- Android permission and role data, especially accessibility service use, device administrator/device owner status, SMS permissions/default SMS handler, contacts, location, and background location
- Mobile network telemetry such as DNS, proxy/VPN, HTTP/HTTPS destinations, and protocol use over non-standard ports
- Mobile threat defense/endpoint alerts for obfuscation, dynamic code loading, hidden app behavior, app impersonation, and security tool tampering
Detection direction
- Do not rely on a single indicator or app name; the related techniques include masquerading, icon suppression, obfuscation, and runtime code download.
- Correlate suspicious permission combinations with behavior: accessibility abuse plus SMS access, contacts access, location access, hidden icon behavior, or unexpected network communication is higher value than any one permission alone.
- Tune carefully for legitimate apps that use accessibility, SMS, contacts, location, or web protocols; prioritize anomalous combinations, untrusted install sources, impersonating package names/icons, and unexpected background behavior.
- Validate whether mobile network monitoring can see HTTP/HTTPS command traffic patterns and protocol/port mismatches without assuming full payload visibility.
- Account for sandbox and lab-analysis gaps because the related techniques include system checks that may alter behavior in virtualized or analysis environments.
Mitigation priorities
- Prioritize managed Android device enrollment for devices used to access sensitive business, banking, or identity workflows.
- Restrict sideloading and enforce approved application sources where business operations allow.
- Use mobile application risk controls to review high-risk permissions, accessibility service grants, SMS roles, device administrator/device owner use, and background location access.
- Maintain mobile threat detection or equivalent behavioral assessment for obfuscation, runtime code loading, app impersonation, hidden icons, and security-tool tampering.
- Reduce dependence on SMS for sensitive authentication where feasible, given the related SMS control and SMS message collection behaviors.
Analyst notes and limits
The business relevance is strongest for organizations that allow Android devices to access corporate identity systems, financial applications, customer data, or privileged communications. Relationship context indicates Cerberus is associated with many mobile techniques, but local control value depends on whether the organization manages Android endpoints and collects mobile telemetry.
MITRE provides no official detection text, no aliases, no specified tactics, and only Android as the supported platform for this malware object. The description states Cerberus is a banking trojan available for rent and references an author claim about prior private use; this take does not infer current activity, attribution, prevalence, or guaranteed detection coverage.
Cerberus
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1509 | Non-Standard Port | Cerberus communicates with the C2 using HTTP requests over port 8888.CitationCheckPoint Cerberus |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | Cerberus hides its icon from the application drawer after being launched for the first time.CitationThreat Fabric Cerberus |
| Mobile | T1407 | Download New Code at Runtime | Cerberus can update the malicious payload module on command.CitationThreat Fabric Cerberus |
| Mobile | T1406 | Obfuscated Files or Information | Cerberus uses standard payload and string obfuscation techniques.CitationThreat Fabric Cerberus |
| Mobile | T1633.001 | System Checks Sub-technique | Cerberus avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.CitationThreat Fabric Cerberus |
| Mobile | T1636.003 | Contact List Sub-technique | Cerberus can obtain the device’s contact list.CitationThreat Fabric Cerberus |
| Mobile | T1636.004 | SMS Messages Sub-technique | Cerberus can collect SMS messages from a device.CitationThreat Fabric Cerberus |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | Cerberus can generate fake notifications and launch overlay attacks against attacker-specified applications.CitationThreat Fabric Cerberus |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | Cerberus has pretended to be an Adobe Flash Player installer.CitationForbes Cerberus |
| Mobile | T1430 | Location Tracking | Cerberus can collect the device’s location.CitationThreat Fabric Cerberus |
| Mobile | T1582 | SMS Control | Cerberus can send SMS messages from a device.CitationThreat Fabric Cerberus |
| Mobile | T1629.003 | Disable or Modify Tools Sub-technique | Cerberus disables Google Play Protect to prevent its discovery and deletion in the future.CitationThreat Fabric Cerberus |
| Mobile | T1437.001 | Web Protocols Sub-technique | Cerberus communicates with the C2 server using HTTP.CitationCheckPoint Cerberus |
| Mobile | T1426 | System Information Discovery | Cerberus can collect device information, such as the default SMS app and device locale.CitationThreat Fabric CerberusCitationCheckPoint Cerberus |
| Mobile | T1418 | Software Discovery | Cerberus can obtain a list of installed applications.CitationThreat Fabric Cerberus |
| Mobile | T1630.001 | Uninstall Malicious Application Sub-technique | Cerberus can uninstall itself from a device on command.CitationThreat Fabric Cerberus |
| Mobile | T1417.001 | Keylogging Sub-technique | Cerberus can record keystrokes.CitationThreat Fabric Cerberus |
| Mobile | T1516 | Input Injection | Cerberus can inject input to grant itself additional permissions without user interaction and to prevent application removal.CitationThreat Fabric CerberusCitationCheckPoint Cerberus |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 24287d67ec96… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Threat Fabric Cerberus
Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.
Open source URL -
[2]
mitre-attack S0480Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.