The ERMAC Android banking malware has been updated to version 2.0, which increases the number of apps targeted from 378 to 467, allowing attackers to steal account passwords and crypto wallets from a considerably larger range of apps. The trojan’s purpose is to transfer stolen login credentials to threat actors, who then use them to access other people’s banking and cryptocurrency accounts and commit financial or different types of crimes.
ERMAC is presently available for subscription to members of darknet sites for $5,000 a month, which is a $2k increase over the first version’s pricing, indicating the boost in features and popularity. A counterfeit Bolt Food application targeting the Polish market is the first malware campaign to use the new ERMAC 2.0 malware.
As per ESET researchers, the threat actors disseminated the Android software by impersonating a reputable European food delivery business on the “bolt-food[.]site” website. This fraudulent website is still active as of this writing. Phishing emails, fraudulent social media posts, smishing, malvertising, and other methods likely lead users to the false site. If they download the application, they will be confronted with a request for total control of their device.
The victim is tricked into entering their credentials on forms that seem authentic but are clones of the original application interfaces by granting access to the Accessibility Service. The malware has been sampled by Cyble for a more in-depth technical study, and it verifies that following installation (through Accessibility), it gets itself 43 rights, including SMS access, contact access, system alert window generation, audio recording, and complete storage read and write access.
ERMAC checks whether programs are installed on the host device before sending the data to the C2 server. The answer contains encrypted HTML injection modules that match the application list, which the malware decrypts and saves as “setting.xml” in the Shared Preference file. When the victim tries to run the authentic app, the injection operation occurs, and a phishing page is loaded on top of the original one. The credentials are forwarded to the same C2 responsible for the injections.
The following commands are supported by ERMAC 2.0:
- downloadingInjections – Sends the application list to download injections
- logs – Sends injection logs to the server
- checkAP – Check the application status and send it to the server
- registration – Sends device data
- updateBotParams – Sends the updated bot parameters
- downloadInjection – Used to receive the phishing HTML page
EMAC 2.0 targets financial apps from all over the world, making it appropriate for use in a wide range of nations. Popular bitcoin wallets and asset management applications have also been compromised. According to Cyble’s analysts, the second version of the strong trojan is based on the “Cerberus” malware, which has many similarities.
A large number of apps supported makes this a dangerous piece of malware. Still, it’s worth mentioning that it would have issues with Android versions 11 and 12, owing to extra limits implemented by Google to prevent misuse of the Accessibility Service. To avoid becoming infected with Android trojans, don’t download APKs from places other than the Play Store, especially from sites you haven’t verified as authentic.