An infamous Android banking Trojan has received a major update, becoming more dangerous – but also more expensive.
Cybersecurity researchers from Cyble and ESET recently discovered that ERMAC version 2.0 was advertised on the dark web, for a monthly subscription fee of $5,000 (compared to $3,000 per month for the previous version).
The skyrocketing subscription costs aren’t just due to inflation – it’s also due to version 2.0 with a lot more features. It is now able to steal login credentials and other sensitive data from 467 apps, up from 378 previously.
Overlay legitimate apps
When a victim installs ERMAC on their device, the malware requests permissions from the accessibility service, giving them full control over the device. Researchers found that the Trojan grants itself 43 permissions, including SMS access, contacts access, creating system alert windows, recording audio, and full read and write access to storage.
After that it is able to imitate different applications and steal sensitive data (opens in a new tab). Once it gets the necessary permissions, it scans the device for installed apps and sends the data to its C2 server. The server then responds with injection modules in encrypted HTML form, which the Trojan decrypts and places in the shared preferences file under the filename “setting.xml”. When the victim tries to launch an app, the Trojan instead launches a phishing page on the real app’s interface, harvesting the data.
Researchers have also already spotted ERMAC 2.0 in the wild. An unknown threat actor attempted to impersonate (opens in a new tab) the Bold Food app (a food delivery service in Europe) and are attacking consumers in Poland.
A fake Bolt Food website was set up (disappeared at press time), which was most likely advertised via social media and phishing emails.
Fake apps are a common weapon in cybercriminals’ arsenals, which is why it’s important to only download apps from a known, legitimate source.
Via: BleepingComputer (opens in a new tab)