S0480: Cerberus
Analyst context for executives and security teams
Cerberus matters because it is an Android banking trojan with behaviors that can undermine trust in mobile devices used for finance, identity access, communications, and executive workflows. The ATT&CK relationships show a broad mobile risk pattern: credential/input capture, SMS and contact access, location tracking, runtime code download, obfuscation, hidden presence, and web-based command traffic.
Executive priority
Treat this as a mobile identity and fraud-resilience issue, not only a malware issue. Leaders should ask whether Android devices that access corporate email, banking, MFA, or sensitive apps are managed, whether risky permissions and sideloaded apps are controlled, and whether SOC/IR teams can obtain mobile evidence quickly enough during account-takeover or fraud investigations. Because MITRE provides no official detection text for this object, coverage should be proven through control validation rather than assumed.
Technical view
For SOC, detection engineering, and IR teams, validate Android-focused coverage around the related techniques: obfuscated payloads, runtime code download, keylogging or GUI input capture, software and system discovery, location access, HTTP/HTTPS command traffic including non-standard ports, accessibility-based input injection, SMS control, hidden launcher icons, security-tool modification, self-uninstall behavior, system checks, contact/SMS collection, and application masquerading. Static app review alone is a blind spot because the related behavior includes downloading new code at runtime and obfuscation.
Likely telemetry
- Android device inventory and OS/app version data from UEM/MDM or mobile security tooling
- Installed application/package inventory, package names, icons, install source, and install/uninstall events
- Android permission and role data, especially accessibility service use, device administrator/device owner status, SMS permissions/default SMS handler, contacts, location, and background location
- Mobile network telemetry such as DNS, proxy/VPN, HTTP/HTTPS destinations, and protocol use over non-standard ports
- Mobile threat defense/endpoint alerts for obfuscation, dynamic code loading, hidden app behavior, app impersonation, and security tool tampering
Detection direction
- Do not rely on a single indicator or app name; the related techniques include masquerading, icon suppression, obfuscation, and runtime code download.
- Correlate suspicious permission combinations with behavior: accessibility abuse plus SMS access, contacts access, location access, hidden icon behavior, or unexpected network communication is higher value than any one permission alone.
- Tune carefully for legitimate apps that use accessibility, SMS, contacts, location, or web protocols; prioritize anomalous combinations, untrusted install sources, impersonating package names/icons, and unexpected background behavior.
- Validate whether mobile network monitoring can see HTTP/HTTPS command traffic patterns and protocol/port mismatches without assuming full payload visibility.
- Account for sandbox and lab-analysis gaps because the related techniques include system checks that may alter behavior in virtualized or analysis environments.
Mitigation priorities
- Prioritize managed Android device enrollment for devices used to access sensitive business, banking, or identity workflows.
- Restrict sideloading and enforce approved application sources where business operations allow.
- Use mobile application risk controls to review high-risk permissions, accessibility service grants, SMS roles, device administrator/device owner use, and background location access.
- Maintain mobile threat detection or equivalent behavioral assessment for obfuscation, runtime code loading, app impersonation, hidden icons, and security-tool tampering.
- Reduce dependence on SMS for sensitive authentication where feasible, given the related SMS control and SMS message collection behaviors.
Analyst notes and limits
The business relevance is strongest for organizations that allow Android devices to access corporate identity systems, financial applications, customer data, or privileged communications. Relationship context indicates Cerberus is associated with many mobile techniques, but local control value depends on whether the organization manages Android endpoints and collects mobile telemetry.
MITRE provides no official detection text, no aliases, no specified tactics, and only Android as the supported platform for this malware object. The description states Cerberus is a banking trojan available for rent and references an author claim about prior private use; this take does not infer current activity, attribution, prevalence, or guaranteed detection coverage.
Cerberus
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1509 | Non-Standard Port | Cerberus communicates with the C2 using HTTP requests over port 8888.CitationCheckPoint Cerberus |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | |
| Mobile | T1407 | Download New Code at Runtime | |
| Mobile | T1406 | Obfuscated Files or Information | |
| Mobile | T1633.001 | System Checks Sub-technique | |
| Mobile | T1636.003 | Contact List Sub-technique | |
| Mobile | T1636.004 | SMS Messages Sub-technique | |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | Cerberus has pretended to be an Adobe Flash Player installer.CitationForbes Cerberus |
| Mobile | T1430 | Location Tracking | |
| Mobile | T1582 | SMS Control | |
| Mobile | T1629.003 | Disable or Modify Tools Sub-technique | |
| Mobile | T1437.001 | Web Protocols Sub-technique | Cerberus communicates with the C2 server using HTTP.CitationCheckPoint Cerberus |
| Mobile | T1426 | System Information Discovery | |
| Mobile | T1418 | Software Discovery | |
| Mobile | T1630.001 | Uninstall Malicious Application Sub-technique | |
| Mobile | T1417.001 | Keylogging Sub-technique | |
| Mobile | T1516 | Input Injection |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 24287d67ec96… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Threat Fabric Cerberus
Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.
Open source URL -
[2]
mitre-attack S0480Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.