Financial data is expensive, not only because it holds sensitive data, but because it also allows access to money.
This why financial data is considered one of the most sought after data, and among the most valuable user data. Hackers are always seeking ways to obtain this kind of data no matter what's the cost.
And among the most popular ways to obtain the data, is by using a banking trojan.
On Android, one of the most notorious banking malware, would be the ERMAC malware, first discovered in 2021.
Behind this ERMAC, is the creator of the BlackRock malware.
A year after the malware was found targeting 378 banking apps, this time, an even more powerful ERMAC is seen in the wild.
According to cybersecurity firm ESET, infected by ERMAC 2.0 can be really nasty.
A new #Android banker ERMAC 2.0 impersonates #Bolt Food and targets Polish users.
Available for rent on underground forums for $5K/month since March 2022, ERMAC 2.0 already has an active campaign. #ESETresearch @LukasStefanko 1/3 pic.twitter.com/hGeD4ZSwve— ESET research (@ESETresearch) May 18, 2022
ERMAC 2.0 malware targets Android devices through 467 apps that steal users’ credentials and bank information.
When it was first found, ERMAC 2.0 was targeting people in Poland.
ERMAC 2.0 works by impersonating popular and genuine apps, and in this case, ERMAC 2.0 was initially found impersonating the Bolt Food delivery service.
“We have observed that the ERMAC 2.0 is being delivered through fake sites,” Cyble Labs noted in a blog post.
The experts added that ERMAC 2.0 also spreads through fake browser update sites.
When the malware-infested app is installed and executed, the malicious app will unpack the DEX file present in the assets folder, and then loads all the classes.
Quickly, it will prompt users to turn on the Accessibility Service.
When the victim grants this permission, ERMAC 2.0 will start abusing its elevated privilege by auto-enabling overlay activity and auto-granting other permissions.
After granting the Accessibility permission, ERMAC 2.0 will then send a list of installed apps on the victim’s Android device to its Command and Control server, and install the needed overlays by downloading the appropriate injection modules.
ERMAC 2.0-infested apps not only target multiple banking apps worldwide, as they also target different cryptocurrency wallets.
IoCs:
Distribution: bolt-food[.]site
Dropper: 301E2AB9707ABE193BB627C60F5E4B8736C86FE9
Payload: CCADCC836F3B6FC80FB3C49D507099846B5B71B3
C&C: 193.106.191[.]116, 193.106.191[.]148, 193.106.191[.]121, 185.215.113[.]100, 193.106.191[.]118#ESETresearch 3/3 pic.twitter.com/jY7maTyPxo— ESET research (@ESETresearch) May 18, 2022
But what makes ERMAC 2.0 extremely dangerous, is because of the number of permissions it grants itself upon installation, which can go up to 43 different permission.
Among the things ERMAC 2.0 can do, besides stealing sensitive information using overlays, is accessing users' messages, contacts, turn on the microphone and camera, system alert window creation, as well as full storage read and write access.
In other words, if all permissions ERMAC 2.0 asked are granted, hackers may be able to fake full control of a victim's device.
Whereas the original ERMAC has become a Malware-as-a-Service (MaaS) that can be rented for $3,000 a month, ERMAC 2.0 is more expensive, with s starting price of $5,000 a month.
Several restrictions placed on Accessibility Service abuse protect devices .
Fortunately for Android users, several restrictions have been placed on Accessibility Service to prevent abuse on devices running Android 11 and 12. People should be able to avoid most if not all instances of ERMAC 2.0 if they stick to downloading apps through Google Play Store.
But as always, users should always remain vigilant.