Keypoints
- ErrorFather uses a session-based multi-stage dropper that installs a second-stage APK from the primary APK’s assets.
- The second-stage includes a native library (libmcfae.so) which extracts AES keys/IVs to decrypt an encrypted asset (rbyypivsnw.png) and load decrypted.dex as the final payload.
- The final payload is Cerberus-derived and provides keylogging, overlay (HTML injection) attacks, VNC via MediaProjection, PII collection, and SMS/contact theft.
- C2 resilience is implemented via RC4-encrypted JSON C2 traffic and a Domain Generation Algorithm (DGA) that generates domains using the Istanbul timezone and multiple extensions.
- Initial-stage communication includes a Telegram bot (ErrorFather) used by the dropper to send device metadata and receive commands.
- Malware actions are exposed as renamed “Types” (e.g., checkAppList, getFile, PrimeService, getBox) used to enumerate apps, retrieve injection pages, exfiltrate data, and control VNC behavior.
MITRE Techniques
- [T1660] Phishing – Used as an initial distribution vector via phishing and fake distribution pages (‘Malware distributing via phishing site’).
- [T1575] Native API – Native code (libmcfae.so) is used to decrypt and load the final payload (‘Malware using native code to drop final payload’).
- [T1655.001] Masquerading: Match Legitimate Name or Location – Dropper impersonates Google Play/Chrome icons to appear legitimate (‘Malware pretending to be the Google Play Update and Chrome application’).
- [T1418] Application Discovery – Malware collects installed package names to identify targets (‘Collects installed application package name list to identify target’).
- [T1630.001] Indicator Removal on Host: Uninstall Malicious Application – Capability to remove itself to evade detection (‘Malware can uninstall itself’).
- [T1516] Input Injection – Malware can simulate user interactions, clicks, gestures, and input data (‘Malware can mimic user interaction, perform clicks and various gestures, and input data’).
- [T1417.001] Input Capture: Keylogging – Final payload records keystrokes from targeted apps (‘Malware can capture keystrokes’).
- [T1426] System Information Discovery – Malware gathers device metadata such as model, brand, and API level (‘The malware collects basic device information.’).
- [T1513] Screen Capture – VNC implementation captures and transmits screen images (‘Malware can record screen content’).
- [T1429] Audio Capture – Malware can capture audio from the device (‘Malware captures Audio recordings’).
- [T1616] Call Control – Malware can initiate or control phone calls (‘Malware can make calls’).
- [T1636.003] Protected User Data: Contact List – Malware exfiltrates the device contact list (‘Malware steals contacts’).
- [T1636.004] Protected User Data: SMS Messages – Malware reads and sends SMS messages from the device (‘Steals SMSs from the infected device’).
- [T1637.001] Dynamic Resolution: Domain Generation Algorithms – Uses a timezone-based DGA to generate C2 domains (‘Malware has implemented DGA’).
- [T1521.001] Encrypted Channel: Symmetric Cryptography – RC4 is used to encrypt full JSON C2 payloads (‘Malware uses RC4 for encrypting C&C communication’).
- [T1646] Exfiltration Over C2 Channel – Exfiltrated data is sent over the encrypted C2 channel (‘Sending exfiltrated data over C&C server’).
Indicators of Compromise
- [Hashes] session/second-stage/final payload contexts – 0c27ec44ad5333b4440fbe235428ee58f623a878baefe08f2dcdad62ad5ffce7, 6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359, and other hashes listed.
- [Files] filenames used in dropper chain – final-signed.apk (second-stage), decrypted.dex (final payload), libmcfae.so (native decryptor), rbyypivsnw.png (encrypted payload).
- [Domains/URLs] C2 and distribution – hxxp://cmsspain[.homes, hxxp://consulting-service-andro[.ru (C2 examples) and hxxp://elstersecure-plus[.online (distribution/phishing URL).
- [Telegram] command channel – https://api.telegram.org/bot7779906180:AAE3uTyuoDX0YpV1DBJyz5zgwvvVg-up4xo/sendMessage?chat_id=5915822121&text= (ErrorFather bot URL used by dropper).
The technical deployment follows a staged installation: the primary APK acts as a session-based dropper that installs a second-stage APK (final-signed.apk) from its assets using the Play Store icon to masquerade as legitimate software. The second-stage package is packed and immediately loads a native library (libmcfae.so) which reads an encrypted asset (rbyypivsnw.png), derives the AES key and IV, decrypts to produce decrypted.dex, and loads that DEX into the app’s code_cache path as the active payload.
The decrypted.dex implements Cerberus-derived capabilities: it enumerates installed apps (checkAppList/listAppX), fetches HTML injection pages (getFile) to perform overlay phishing, records keystrokes (PrimeService), captures screen images via MediaProjection and transmits them over a WebSocket for VNC actions, and exfiltrates SMS/contacts (getBox/prContact). Control is exercised through renamed action identifiers (“Types”) delivered by C2, and all C2 JSON traffic is symmetrically encrypted with RC4.
For resilience the malware populates its ConnectGates shared preference with C2 entries received from the primary “PoisonConnect” server and by generating fallback domains via a DGA that uses the Istanbul timezone, MD5 then SHA-1 hashing, and appends extensions (e.g., .click, .com, .homes, .net). The initial dropper also contacts a Telegram bot (ErrorFather) to send device metadata and receive commands, enabling remote control and orchestrating exfiltration and overlay/VNC-driven fraud.
Read more: https://cyble.com/blog/hidden-in-plain-sight-errorfathers-deadly-deployment-of-cerberus/