Despite the fact that since the introduction of PlayProtect in the Google Play Store the amount of malware has significantly decreased, experts from PREBYTES Security Incident Response Team have detected dangerous Cerberus malware in one of the applications.

It was the Best Cleaner app that required permissions to access photos, multimedia, make calls or access files on the phone during installation. If the consent was not given, the application could not be used.

Clicking the “Start Cleanup” button in the application initiated the attack. The application required the installation of an additional plug-in, for this purpose, the option to allow installation of apps from unknown sources had to be enabled in the device settings. At this point download and installation of Best Cleaner, which was actually malware, was initiated. In the next step, the application requested access to the accessibility feature, hidden under “Best Cleaner activation”, which in effect allowed it to add itself as device administrator.

Cerberus malware ran in the background and scanned for online banking applications, and once you tried to log into your bank account, an overlay imitating the original login panel was displayed. As you might expect, at this point cybercriminals hijacked your online banking credentials.
The application has been removed from the Google Play Store, and the number of its downloads has passed 10,000.

To lull potential victims, cybercriminals have secured fake reviews as well as application updates.