ERMAC 2.0 Android Banking Trojan targets over 400 apps

Pierluigi Paganini May 27, 2022

A new version of the ERMAC Android banking trojan is able to target an increased number of apps.

The ERMAC Android banking trojan version 2.0 can target an increasing number of applications, passing from 378 to 467 target applications to steal account credentials and crypto-wallets.

ERMAC was first spotted by researchers from Threatfabric in July 2021, it is based on the popular banking trojan Cerberus. The source code of Cerberus was released in September 2020 on underground hacking forums after its operators failed an auction.

According to the experts, ERMAC is operated by threat actors behind the BlackRock mobile malware.

ERMAC 2.0 was discovered by ESET researchers after a campaign impersonating Bolt Food targeted Polish users. The malware is available for rent on underground forums for $5000 per month since March 2022.

ERMAC

ERMAC 2.0 is able to steal credentials for financial and cryptocurrency apps included in the list of targeted apps that are sent by the C2.

The researchers also shared indicators of compromise (IoCs) for this version.

Researchers from Cyble analyzed the malware after the initial discovery made by ESET

ERMAC first determines what applications are installed on the host device and then sends the information to the C2 server.

Researchers from Cyble published a technical analysis of the malware after the initial discovery made by ESET. The malicious app asks for 43 permissions, of which the TA exploits 12. Below is the list of permission requested to conduct malicious activities and take over the infected device:  

Permission  Description  
REQUEST_INSTALL_PACKAGES Allows an application to request installing    packages 
CALL_PHONE Allows an application to initiate a phone call   without going through the Dialer user    interface for the user to confirm the call 
RECEIVE_SMS Allows an application to receive SMS messages 
READ_SMS Allows an application to read SMS messages 
SEND_SMS Allows an application to send SMS    messages 
READ_CONTACTS Allows an application to read the user’s    contacts data 
READ_PHONE_STATE Allows read access to the device’s phone    number 
SYSTEM_ALERT_WINDOW Allows an app to create windows shown on    top of all other apps. 
READ_EXTERNAL_STORAGE Allows an application to read from external storage   
RECORD_AUDIO Allows an application to record audio   
WRITE_EXTERNAL_STORAGE Allows an application to write to external    storage 

while the list of commands supported by ERMAC 2.0 to execute malicious operations is:

Command Description 
downloadingInjections Sends the application list to download injections
logs Sends injection logs to the server
checkAPCheck the application status and send it to the server 
registrationSends device data 
updateBotParamsSends the updated bot parameters 
downloadInjectionUsed to receive the phishing HTML page 

“The Threat Actor behind ERMAC used the leaked code from a well-known malware variant named “Cerberus” and modified the code to sell the Android botnets in cybercrime forums. Interestingly, we observed that ERMAC 2.0 is distributed rapidly through various phishing sites, primarily targeting Polish users.” concludes Cyble. “ERMAC 2.0 steals credentials from different crypto wallets and targets multiple banking applications worldwide. We foresee that the TA behind ERMAC 2.0 will continue to develop new versions with more targeted applications, new TTPs, and new delivery methods.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ERMAC 2.0)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment