The ERMAC Android banking trojan version 2.0 can target an increasing number of applications, passing from 378 to 467 target applications to steal account credentials and crypto-wallets.
ERMAC was first spotted by researchers from Threatfabric in July 2021, it is based on the popular banking trojan Cerberus. The source code of Cerberus was released in September 2020 on underground hacking forums after its operators failed an auction.
According to the experts, ERMAC is operated by threat actors behind the BlackRock mobile malware.
ERMAC 2.0 was discovered by ESET researchers after a campaign impersonating Bolt Food targeted Polish users. The malware is available for rent on underground forums for $5000 per month since March 2022.
ERMAC 2.0 is able to steal credentials for financial and cryptocurrency apps included in the list of targeted apps that are sent by the C2.
The researchers also shared indicators of compromise (IoCs) for this version.
Researchers from Cyble analyzed the malware after the initial discovery made by ESET
ERMAC first determines what applications are installed on the host device and then sends the information to the C2 server.
Researchers from Cyble published a technical analysis of the malware after the initial discovery made by ESET. The malicious app asks for 43 permissions, of which the TA exploits 12. Below is the list of permission requested to conduct malicious activities and take over the infected device:
Permission | Description |
REQUEST_INSTALL_PACKAGES | Allows an application to request installing packages |
CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call |
RECEIVE_SMS | Allows an application to receive SMS messages |
READ_SMS | Allows an application to read SMS messages |
SEND_SMS | Allows an application to send SMS messages |
READ_CONTACTS | Allows an application to read the user’s contacts data |
READ_PHONE_STATE | Allows read access to the device’s phone number |
SYSTEM_ALERT_WINDOW | Allows an app to create windows shown on top of all other apps. |
READ_EXTERNAL_STORAGE | Allows an application to read from external storage |
RECORD_AUDIO | Allows an application to record audio |
WRITE_EXTERNAL_STORAGE | Allows an application to write to external storage |
while the list of commands supported by ERMAC 2.0 to execute malicious operations is:
Command | Description |
downloadingInjections | Sends the application list to download injections |
logs | Sends injection logs to the server |
checkAP | Check the application status and send it to the server |
registration | Sends device data |
updateBotParams | Sends the updated bot parameters |
downloadInjection | Used to receive the phishing HTML page |
“The Threat Actor behind ERMAC used the leaked code from a well-known malware variant named “Cerberus” and modified the code to sell the Android botnets in cybercrime forums. Interestingly, we observed that ERMAC 2.0 is distributed rapidly through various phishing sites, primarily targeting Polish users.” concludes Cyble. “ERMAC 2.0 steals credentials from different crypto wallets and targets multiple banking applications worldwide. We foresee that the TA behind ERMAC 2.0 will continue to develop new versions with more targeted applications, new TTPs, and new delivery methods.”
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, ERMAC 2.0)
[adrotate banner=”5″]
[adrotate banner=”13″]