The ERMAC 2.0 malware, which steals the password

What is ERMAC 2.0

In 2021, researchers discovered a malware called ERMAC that attacks Android devices. Cybersecurity researchers classify the ERMAC 2.0 threat as an Android banking Trojan. The threat is sold to any interested cybercriminal on underground hacker forums. The creators of ERMAC 2.0 have priced access to their harmful threat at $5000 per month.

How it works

The Trojan tries to masquerade as the legitimate Bolt Food app. Once fully installed on the Android device, ERMAC 2.0 can perform many intrusive actions. Malware can intercept, read and send SMS messages, access incoming notifications or send fake ones, mute the device and lock the screen. Through ERMAC 2.0, attackers can access victims’ Gmail messages, view their contact lists, and record all installed applications. EMARC 2.0’s threat capabilities don’t stop there. The Trojan can also make phone calls to specific numbers, forward incoming calls, and create keylogger routines to capture sensitive data such as account credentials, banking information, crypto wallet passphrases, and more.

According to researchers at Cyble, once the user clicks accept, they will be granted the fake app around 43 permissions. This includes system alert window creation, SMS access, contact access, audio recording, and total storage read/write access.

The commands supported by ERMAC 2.0 are the following:

logs – Sends injection logs to the server

checkAP – Check the application status and send it to the server

registration – Sends device data

downloadingInjections – Sends the application list to download injections

updateBotParams – Sends the updated bot parameters

download injection – Used to receive the phishing HTML page

The banking apps targeted by EMAC 2.0 include institutions worldwide, making the app suitable for deployment in many countries. Moreover, popular cryptocurrency wallets and asset management apps are stolen too.

Cyble’s analysts have found many similarities to the “Cerberus” malware, so it appears that the second version of the powerful Trojan is based on it.

The extensive list of apps supported makes this a potent malware. Still, it’s worth noting that it would stumble into problems in Android versions 11 and 12, thanks to the additional restrictions that Google added to prevent Accessibility Service abuse. To prevent infections from Android trojans, avoid downloading APKs from outside the Play Store, especially from websites you haven’t confirmed as legitimate.

Once someone installs ERMAC 2.0 through a spoofed app, the malware requests up to 43 permissions from the user’s device. If granted, these permissions may allow hackers to control a victim’s device completely. They can also gain access to SMS, access contacts, create a system notification window, and record audio or whole storage with read and write access.

ERMAC 2.0 impersonates popular and genuine apps, according to cybersecurity experts.

At the same time, they can create a list of apps installed on the victim’s device and share that data with the hacker’s C2 server, according to Tech Radar. This can lead to a sophisticated phishing scheme that collects the user’s data every time they log into the affected app.

Some phishing pages used to trick victims include banking apps such as Japan’s bitbank, India’s IDBI Bank, Australia’s Greater Bank and Boston-based Santander Bank.


How to protect from ERMAC 2.0

Various restrictions set through the Accessibility Service protect Android 11 and 12 devices, according to BleepingComputer. However, users are advised to avoid downloading apps outside the Google Play Store. Even if an app is on the Google Play Store, users should be vigilant about its legitimacy.

To ensure its uninterrupted activities on the compromised device, ERMAC 2.0 can kill more than 130 antivirus and battery optimizer applications. The threat can also hide its icon, disable the accessibility block, and prevent victims from deleting it manually. Hackers can also instruct the malware to open links in the device’s web browser, delete the app’s data, and escalate its privileges to the administrator class. The consequences for ERMAC victims can be devastating. Attackers may get enough information to take over paid accounts, social media accounts, and digital wallets.