ESET cybersecurity researchers have discovered a new 2021 version of the Android Banking Trojan ERMAC that targets 467 apps to steal credentials and rob you of your hard-earned money.
The malware is distributed via fake websites. For example, a fake version of the site of Bolt Food, a famous food delivery platform in Europe, was created to target Polish users.
Once a user falls prey and downloads a rogue app, it asks for as many as 43 permissions such as allow reading from external storage and read text messages, and also asks the user for the enable accessibility service. When granted, it begins to abuse services by enabling overlay activity and granting permissions.
The malware then sends a list of apps installed on the victim’s Android device to the Command and Control server. It then receives a response that discreetly overlays legitimate apps and gains access to sensitive data and dangerous authorizations. India’s crypto app Unocoin was one of the apps targeted in this way.
The malware then stores an HTML phishing page on the device and when the victim uses the targeted real app, it instead displays the phishing page to steal credentials, which are then sent back to the Command and Control server.
The hacker then uses the collected information to steal cryptocurrency from the user’s account.
Banking applications focused on ERMAC 2.0
Cyble notes that ERMAC is based on a known malware called Cerberus and warns that the folks behind ERMAC 2.0 will continue to create new versions with improved capabilities.