An infamous Android banking trojan has gotten a major update, growing more dangerous – but also more expensive. Cybersecurity researchers from Cyble and ESET recently discovered version 2.0 of ERMAC being advertised on the dark web, for a monthly subscription rate of $5,000 (up from $3,000 a month for the earlier version).
The spike in subscription cost is not just due to inflation – it’s also due to version 2.0 coming with a lot more features. It is now capable of stealing login information and other sensitive data from 467 applications, up from the previous 378.
Overlaying legit apps
When a victim installs ERMAC on its endpoint, the malware requests permissions to the Accessibility Service, which give it complete control over the device. Researchers have found that the trojan grants itself 43 permissions, including SMS access, contact access, system alert window creation, audio recording, and full storage read and write access.
After that, it’s able to mimic different apps and steal sensitive data(opens in new tab). Once it gets the necessary permissions, it scans the device for apps installed, and sends the data over to its C2 server. The server then responds with injection modules in encrypted HTML form, which the trojan decrypts and places into the Shared Preference file under “setting.xml” filename. When the victim tries to launch an app, the trojan will instead launch a phishing page over the actual app’s interface, thus harvesting the data.
Researchers have already spotted ERMAC 2.0 in the wild, as well. An unknown threat actor tried to impersonate(opens in new tab) the Bold Food application (a food delivery service in Europe) and attack consumers in Poland.
A fake Bolt Food website was brought up (defunct at press time), which was most likely advertised through social media and phishing emails.
Fake apps are a common weapon in cybercriminals’ arsenal, which is why it’s important to only download apps from a known, legitimate source.