- Cyber security firm ThreatFabric posted a blog post about the new threat
- The malware is believed to be almost completely Cerberus-based
- Called ERMAC, the malware poses a threat to banking and wallet applications
The malicious actors behind the advanced Blackrock mobile malware are back with a more vicious Android banking Trojan dubbed ERMAC. According to cybersecurity experts, the malware steals financial data from banking apps and wallets.
The recently discovered Android malware was reported by Dutch cybersecurity company ThreatFabric. Threat actors reportedly began ERMAC’s first major campaign at the end of August, where the malware masqueraded as Google Chrome.
Since then, ERMAC attacks have multiplied, including banking apps, delivery services, government apps, media players and even anti-virus solutions like McAfee.
Experts believe that the hackers have their sights set on Poland.
“As of this writing, we see ERMAC targeting Poland and being distributed under the guise of delivery services and government applications,” ThreatFabric CEO Cengiz Han Sahin said in a blog post.
ERMAC is almost entirely based on the infamous Cerberus banking Trojan. Like its original and other banking malware, ERMAC is developed to steal contact information and text messages.
It can also open arbitrary applications and perform overlay attacks against a wide range of financial applications to gain login credentials. The banking malware also comes with features that allow it to clear the cache of a particular app and steal accounts saved on the device.
“The story of ERMAC once again shows how malware source code leaks can not only slow the evaporation of the malware family, but also bring new threats / players into the threat landscape,” Threatfabric said.
“Being built on the basement of Cerberus, ERMAC introduces some new features. Although it lacks powerful features like RAT, it remains a threat to mobile banking users and financial institutions around the world,” noted the cybersecurity company in the same blog post. .
ThreatFabric also unveiled the list of applications targeted by ERMAC. This includes Usługi Bankowe, WiZink, tu banco senZillo, Santander Argentina, Touch 24 Banking BCR and Volksbank hausbanking.
Apps like My AMP, Bankwest, CommBiz, CUA Mobile Banking, HSBC Australia, ING Australia Banking, Macquarie Authenticator, Macquarie Mobile Banking, ME Bank, NAB Mobile Banking, NPBS Mobile Banking, myRAMS, Suncorp Bank, UBank Mobile Banking, CA Mobile , Tangerine Mobile Banking and Bitcoin & Ripple Wallet are also included in the list of applications targeted by ERMAC.
As of this writing, cybersecurity companies have listed 378 banking and wallet apps targeted by said malware.