A new Android malware called ERMAC steals financial data from banking and wallet apps. Operators of BlackRock mobile malware are behind it, the latest Android malware targets Poland and originates from the Cerberus malware.
According to ThreatFabric’s CEO Cengiz Han Sahin, “The new trojan already has active distribution campaigns and is targeting 378 banking and wallet apps with overlays. First campaigns involving ERMAC are believed to have begun in late August under the guise of the Google Chrome app.
Now the malware has expanded and is targeting a range of apps which includes media players, delivery services, government applications, and antivirus solutions like McAfee.According to Dutch cybersecurity findings, it is almost based on the notorious banking trojan Cerberus. One of the threat actors, DukeEugene, in a forum, posted last month on August 17 invited prospective customers and said, “rent a new android botnet with wide functionality to a narrow circle of people” for $3,000 a month.”
The threat actor was also involved in the earlier BlackRock campaign discovered in July 2020. The attack featured a number of data theft capabilities, the info stealer and keylogger originating from another banking strain called Xerxes. This itself is a strain of the LokiBot Android banking Trojan, with the malware’s source code made public by its author around May 2019.
Earlier in September 2020, Cerberus released its own source code as a free remote access trojan (RAT) on underground hacking forums. This followed a failed auction that sought $100,000 for the developer.
According to ThreatFabric, “DukeEugene switched from using BlackRock in its operations to ERMAC.” It not only shows similarities with Cerberus but the freshly discovered strain is notable for its use of obfuscation techniques and Blowfish encryption scheme to communicate with the command-and-control server.
Just like its ancestors, ERMAC and other banking malware are designed to steal contact information, text messages, open arbitrary applications, and trigger overlay attacks against a multitude of financial apps to swipe login credentials. It has also evolved to allow the malicious software to clear the cache of a specific application and steal accounts stored on the device.
The researchers said, “The story of ERMAC shows one more time how malware source code leaks can lead not only to slow evaporation of the malware family but also bring new threats/actors to the threat landscape. Although it lacks some powerful features like RAT, it remains a threat for mobile banking users and financial institutions all over the world.”