Hackers pay $5K/month to access 467 Android apps to steal banking information

ESET cybersecurity researchers have discovered a new 2021 version of the Android Banking Trojan ERMAC that targets 467 apps to steal credentials and rob you of your hard-earned money.

ERMAC 2.0 aims to steal victims’ credentials for financial and cryptocurrency apps and does so by impersonating apps.

Cyble Research Labs investigated further and found that bad actors can rent it for a monthly fee of $5,000. It’s worth noting that ERMAC 1.0, which focused on 378 apps, was rented out for $3,000 per month, so the new high fee reflects the new version’s increased potential.

The malware is distributed via fake websites. For example, a fake version of the site of Bolt Food, a famous food delivery platform in Europe, was created to target Polish users.

It is also distributed through browser update scam sites.

Once a user falls prey and downloads a rogue app, it asks for as many as 43 permissions such as allow reading from external storage and read text messages, and also asks the user for the enable accessibility service. When granted, it begins to abuse services by enabling overlay activity and granting permissions.

The malware then sends a list of apps installed on the victim’s Android device to the Command and Control server. It then receives a response that discreetly overlays legitimate apps and gains access to sensitive data and dangerous authorizations. India’s crypto app Unocoin was one of the apps targeted in this way.

The malware then stores an HTML phishing page on the device and when the victim uses the targeted real app, it instead displays the phishing page to steal credentials, which are then sent back to the Command and Control server.

The hacker then uses the collected information to steal cryptocurrency from the user’s account.

The report also mentions some of the phishing pages used to trick victims and includes banking applications from several well-known organizations such as Japan’s Bitbank, India’s IDBI Bank, Australia’s Greater Bank and Boston-based Santander Bank.

Banking applications focused on ERMAC 2.0

Cyble notes that ERMAC is based on a known malware called Cerberus and warns that the folks behind ERMAC 2.0 will continue to create new versions with improved capabilities.

BleepingComputer says that thanks to restrictions on accessibility service abuse, phones running Android 11 and 12 shouldn’t worry, but still advises users to avoid downloading apps from outside of Google’s Play Store, especially apps that don’t seem legitimate. Maybe Apple has a point when it comes to not allow sideloading?

If you don’t want to leave your security to chance, you can use a service like ExpressVPN†