New ERMAC 2.0 Trojan Variant Actively Targeting Android Users

Researchers have discovered a new malware variant of the Android banking trojan ERMAC, identified as ERMAC 2.0. This new malware variant impersonates various apps to steal users’ credentials and crypto wallets.

ERMAC 2.0 Android Trojan Variant Arrives

Sharing the details in a Twitter thread, ESET researchers have highlighted the ERMAC 2.0 trojan variant as a potent threat.

ERMAC is a known Android banking trojan that infects devices by mimicking different financial apps. And now, ERMAC 2.0 has arrived as an improved variant that impersonates various applications in a huge number.

As revealed, the researchers noticed the malware mimicking the Bolt Food app to target Polish users. The threat actors behind ERMAC 2.0 have put the trojan for rent on underground markets for $5000 per month. And it seems the malware has gained enough traction as, since its advertisement in March 2022, it has been active in numerous campaigns in the wild.

In a subsequent analysis, Cyble researchers explained that they found the new variant targeting 467 apps in the campaigns. Apart from mimicking apps like Bolt Food, the malware also reaches target devices via fake browser updates.

Once reached, the malware asks the user for permission to access Accessibility Service, which enables it to gain persistence. It then displays screen overlays and auto-grants other permissions to take control of the target device. It also gathers a list of all installed apps and forwards it to the C&C. In response, the server sends over the corresponding injection modules according to the target app list.

Ultimately, the goal of the malware is to steal credentials and cryptocurrency wallets by displaying phishing overlays.

Cyble has shared the detailed technical analysis of the malware in a post. Describing ERMAC 2.0, they stated,

The Threat Actor behind ERMAC used the leaked code from a well-known malware variant named “Cerberus” and modified the code to sell the Android botnets in cybercrime forums…
ERMAC 2.0 steals credentials from different crypto wallets and targets multiple banking applications worldwide.

Stay Wary Of Untrusted Apps

Since the trojan spreads by mimicking different apps, Android users must avoid downloading apps from untrusted sources. Even when downloading apps from the official Google Play Store, users must go for the trusted, known developers to download apps. Regardless of the number of downloads or customer reviews, users must not download any apps from random unknown developers.

Besides, securing devices with a robust anti-malware solution is vital to fending off such threats.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients