Posted on September 28, 2021 at 8:23 AM

Research Uncovers Malware that Steals Financial Data from 378 Android Apps

Smartphones are prone to hacking attacks that are usually triggered by the download of certain applications. The recent report covering this issue has uncovered a new malware targeting certain apps downloaded to Android devices.

The recent malware that is targeting banking and wallet applications on Android devices is ERMAC. The banking trojan has been developed by the same threat actors who are attributed to the BlackRock mobile malware.

The Android banking trojan application targets users who are based in Poland. Forensics on the hacking tool also shows that it has a relationship with the Cerberus malware famed for compromising several devices.

Targeting 378 Banking and Wallet Apps

In an email sent by the CEO of ThreatFabric, Cengiz Han Sahin, he stated that “The new trojan already has active distribution campaigns and is targeting 378 banking and wallet apps with overlays.”

The first campaigns conducted using this malware were first detected towards the end of August. The ERMAC trojan hid itself as a Google Chrome app, which made it easy for it to infiltrate user devices and gain access to sensitive information.

However, the kinds of attacks conducted by this malware have changed over the latest weeks. The malware is currently targeting different applications that are linked to sectors such as banking, delivery services, antivirus solutions, government applications and delivery services.

The recent data also shows that the new trojan software is based on the Cerberus banking trojan. This trojan is infamous for conducting a series of attacks on banking and wallet platforms, leaving user data exposed to compromise.

ThreatFabric also stated that the recent research into this malware was triggered by different forum posts that were made on August 17 by a threat actor. At the time, the threat actor stated that he was looking to “rent a new android botnet with wide functionality to a narrow circle of people.” The threat actor stated that he would rent this botnet for $3000 per month.

The forum post was created by DukeEugene, who is also attributed to being behind the BlackRock campaign. This campaign was uncovered in July 2020. The campaign caused major harm to the compromised devices because it could gain access to banking data. Some of the features of this campaign included data theft, and its functionality was believed to originate from yet another banking trojan dubbed Xerxes.

The Xerxes banking strain is also attributed to the LokiBot Android banking trojan that was uncovered several years back. In May 2019, the creator of the LokiBot trojan made public the source code used to develop it.

However, the strains that have followed the LokiBot trojan have depicted slight adjustments that are aimed at boosting efficiency and functionality. In September last year, the Cerberus trojan had its own source code that was released as a free remote access trojan (RAT). This trojan was used on dark web hacking forums after its developer failed to sell it for $100,000 during an auction.

ERMAC has Improved Features

The report by ThreatFabric also shows that the ERMAC trojan is a more improved version of the BlackRock campaign. The BlackRock campaign was ceased ever since the ERMAC trojan came into play showing that the actor behind its development preferred the latter.

In its report, the Dutch cybersecurity firm stated that “DukeEugene switched from using BlackRock in its operations to ERMAC.” However, ERMAC still shares several similarities with Cerberus. One of these features is an obfuscation feature that allows the trojan to operate undetected.

The other similarity between ERMAC and Cerberus is that they both deploy the Blowfish encryption scheme to communicate with the command-and-control server, which gives the trojan enhance access over the compromised device.

The ERMAC malware was created with the intention of stealing data from the compromised device. Some of the details that this malware seeks to steal includes text messages, opening arbitrary applications and triggering a series of overlay attacks that allows the trojan to change login credentials against different financial applications.

The ERMAC malware has also been upgraded with new features, which allow the malware to clear the cache of a given application and steal the credentials stored on that device.

In its report, ThreatFabric also noted that, “The story of ERMAC shows one more time how malware source code leaks can lead not only to slow evaporation of the malware family but also bring new threats/actors to the threat landscape. Although it lacks some powerful features like RAT, it remains a threat for mobile banking users and financial institutions all over the world.”