ERMAC 2.0 Android Banking Trojan targets over 400 apps

A new version of the ERMAC Android banking trojan is able to target an increased number of apps.

The ERMAC Android banking trojan version 2.0 can target an increasing number of applications, passing from 378 to 467 target applications to steal account credentials and crypto-wallets.

ERMAC was first spotted by researchers from Threatfabric in July 2021, it is based on the popular banking trojan Cerberus. The source code of Cerberus was released in September 2020 on underground hacking forums after its operators failed an auction.

According to the experts, ERMAC is operated by threat actors behind the BlackRock mobile malware.

ERMAC 2.0 was discovered by ESET researchers after a campaign impersonating Bolt Food targeted Polish users. The malware is available for rent on underground forums for $5000 per month since March 2022.

A new #Android banker ERMAC 2.0 impersonates #Bolt Food and targets Polish users.
Available for rent on underground forums for $5K/month since March 2022, ERMAC 2.0 already has an active campaign. #ESETresearch @LukasStefanko 1/3

— ESET research (@ESETresearch) May 18, 2022

ERMAC 2.0 is able to steal credentials for financial and cryptocurrency apps included in the list of targeted apps that are sent by the C2.

The researchers also shared indicators of compromise (IoCs) for this version.

Distribution: bolt-food[.]site
Dropper: 301E2AB9707ABE193BB627C60F5E4B8736C86FE9
Payload: CCADCC836F3B6FC80FB3C49D507099846B5B71B3
C&C: 193.106.191[.]116, 193.106.191[.]148, 193.106.191[.]121, 185.215.113[.]100, 193.106.191[.]118#ESETresearch 3/3

— ESET research (@ESETresearch) May 18, 2022

Researchers from Cyble analyzed the malware after the initial discovery made by ESET

ERMAC first determines what applications are installed on the host device and then sends the information to the C2 server.

Researchers from Cyble published a technical analysis of the malware after the initial discovery made by ESET. The malicious app asks for 43 permissions, of which the TA exploits 12. Below is the list of permission requested to conduct malicious activities and take over the infected device:  

Permission  Description  REQUEST_INSTALL_PACKAGES Allows an application to request installing    packages CALL_PHONE Allows an application to initiate a phone call   without going through the Dialer user    interface for the user to confirm the call RECEIVE_SMS Allows an application to receive SMS messages READ_SMS Allows an application to read SMS messages SEND_SMS Allows an application to send SMS    messages READ_CONTACTS Allows an application to read the user’s    contacts data READ_PHONE_STATE Allows read access to the device’s phone    number SYSTEM_ALERT_WINDOW Allows an app to create windows shown on    top of all other apps. READ_EXTERNAL_STORAGE Allows an application to read from external storage   RECORD_AUDIO Allows an application to record audio   WRITE_EXTERNAL_STORAGE Allows an application to write to external    storage 

while the list of commands supported by ERMAC 2.0 to execute malicious operations is:

Command Description downloadingInjections Sends the application list to download injectionslogs Sends injection logs to the servercheckAPCheck the application status and send it to the server registrationSends device data updateBotParamsSends the updated bot parameters downloadInjectionUsed to receive the phishing HTML page 

“The Threat Actor behind ERMAC used the leaked code from a well-known malware variant named “Cerberus” and modified the code to sell the Android botnets in cybercrime forums. Interestingly, we observed that ERMAC 2.0 is distributed rapidly through various phishing sites, primarily targeting Polish users.” concludes Cyble. “ERMAC 2.0 steals credentials from different crypto wallets and targets multiple banking applications worldwide. We foresee that the TA behind ERMAC 2.0 will continue to develop new versions with more targeted applications, new TTPs, and new delivery methods.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit:

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, ERMAC 2.0)

The post ERMAC 2.0 Android Banking Trojan targets over 400 apps appeared first on Security Affairs.

Recent Posts
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt