ERMAC 2.0 Android Banking Trojan targets over 400 apps

A new version of the ERMAC Android banking trojan is able to target an increased number of apps.

The ERMAC Android banking trojan version 2.0 can target an increasing number of applications, passing from 378 to 467 target applications to steal account credentials and crypto-wallets.

ERMAC was first spotted by researchers from Threatfabric in July 2021, it is based on the popular banking trojan Cerberus. The source code of Cerberus was released in September 2020 on underground hacking forums after its operators failed an auction.

According to the experts, ERMAC is operated by threat actors behind the BlackRock mobile malware.

ERMAC 2.0 was discovered by ESET researchers after a campaign impersonating Bolt Food targeted Polish users. The malware is available for rent on underground forums for $5000 per month since March 2022.

ERMAC 2.0 is able to steal credentials for financial and cryptocurrency apps included in the list of targeted apps that are sent by the C2.

The researchers also shared indicators of compromise (IoCs) for this version.

Researchers from Cyble analyzed the malware after the initial discovery made by ESET

ERMAC first determines what applications are installed on the host device and then sends the information to the C2 server.

Researchers from Cyble published a technical analysis of the malware after the initial discovery made by ESET. The malicious app asks for 43 permissions, of which the TA exploits 12. Below is the list of permission requested to conduct malicious activities and take over the infected device: 

Permission	Description
REQUEST_INSTALL_PACKAGES	Allows an application to request installing packages
CALL_PHONE	Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call
RECEIVE_SMS	Allows an application to receive SMS messages
READ_SMS	Allows an application to read SMS messages
SEND_SMS	Allows an application to send SMS messages
READ_CONTACTS	Allows an application to read the user’s contacts data
READ_PHONE_STATE	Allows read access to the device’s phone number
SYSTEM_ALERT_WINDOW	Allows an app to create windows shown on top of all other apps.
READ_EXTERNAL_STORAGE	Allows an application to read from external storage
RECORD_AUDIO	Allows an application to record audio
WRITE_EXTERNAL_STORAGE	Allows an application to write to external storage

while the list of commands supported by ERMAC 2.0 to execute malicious operations is:

Command	Description
downloadingInjections	Sends the application list to download injections
logs	Sends injection logs to the server
checkAP	Check the application status and send it to the server
registration	Sends device data
updateBotParams	Sends the updated bot parameters
downloadInjection	Used to receive the phishing HTML page

“The Threat Actor behind ERMAC used the leaked code from a well-known malware variant named “Cerberus” and modified the code to sell the Android botnets in cybercrime forums. Interestingly, we observed that ERMAC 2.0 is distributed rapidly through various phishing sites, primarily targeting Polish users.” concludes Cyble. “ERMAC 2.0 steals credentials from different crypto wallets and targets multiple banking applications worldwide. We foresee that the TA behind ERMAC 2.0 will continue to develop new versions with more targeted applications, new TTPs, and new delivery methods.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ERMAC 2.0)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.