Security researchers have discovered that Cerberus banking Trojan was disguised as a legal currency application on Google Play.
On Tuesday, Avast's security team said the malicious application was a legitimate currency conversion application designed for Spanish users.
In all, the "Calculadora de Moneda" software - translated as Currency Calculator - has been downloaded more than 10.000 times.
Our mobile devices, including smartphone and tablets, are now often basic tools used not only for communication with friends and relatives, but also for entertainment, work and as gateways to our financial accounts.
As a result, mobile malware has become a common threat today. To try to keep malicious applications away from them Appliances our suppliers including Google and its Apple, have tightened security measures for software hosted on their official trusted application repositories.
In some cases, however, the threats are slipping away.
The malicious app bypassed Google's security barriers, making it a legitimate app for the first few weeks after its adoption on Google Play.
However, after the users trusted it, the application activated the inactive code for Cerberus Trojan.
Code linked to Calculadora de Moneda with a command and control server (C2) that was activated several weeks later by ordering application download an additional Android application package (APK) to devices.
After running, the APK "threw" Cerberus into the system, a relatively new Trojan released in June 2019.
Trojan banking creates a cover for existing banking and financial applications. Cerberus is hidden in background, waiting for a user to enter the credentials of his account, from which this information is stolen and sent to his C2 intruder.
Avast notes that malware is sophisticated enough to read your messages - often used for delivery passwords (OTP) - as well as for retrieving two-factor authentication details (2FA). These security measures are aimed at further protecting bank accounts, but Cerberus can bypass these controls.
"Although this was only a short period of time, it is a tactic that fraudsters often use to hide from protection and detection, that is, to limit the amount of time malicious activity can be detected," says Avast.