Skip to content

New Android malware targets financial data from over 370 banking apps

New Android malware targets financial data from over 370 banking apps

Researchers have discovered a new Android banking trojan named ERMAC that has its origins in the notorious Cerberus malware, capable of stealing data from over 370 banking and wallet apps.

The first efforts using ERMAC which was developed by the same group that created the BlackRock mobile virus is thought to have started in late August under cover of the Google Chrome app, according to the CEO of ThreatFabric, Cengiz Han Sahin, who announced in an emailed statement that apparently:

“The new trojan already has active distribution campaigns and is targeting 378 banking and wallet apps with overlays.”

It has now been discovered that banking, media players, delivery services, government applications, and antivirus solutions such as McAfee are all being targeted by the assaults.

Forum posts reveal findings

Notably, the findings of the Dutch cybersecurity firm, which are almost entirely based on the notorious banking trojan Cerberus, come from forum posts made by an actor named DukeEugene last month on August 17.  

DukeEugene invited prospective customers:

“To rent a new android botnet with wide functionality to a narrow circle of people for $3,000 a month.”

In particular, DukeEugene is well-known for his role as the actor behind the BlackRock campaign, which came about in July 2020. The information stealer and keylogger derived from another banking strain known as Xerxes, the LokiBot Android banking Trojan. 

It is noteworthy; the source code was made public by the malware’s creator in May of this year, and is among the most sophisticated data theft tools ever developed.

A threat for mobile and financial institutions

Interestingly, ThreatFabric also noted the absence of new BlackRock samples after the advent of ERMAC, suggesting “DukeEugene switched from using BlackRock to ERMAC.” Like Cerberus, the newly found strain uses obfuscation and Blowfish encryption to interact with the command-and-control server.

The Dutch researchers said about ERMRAC:

Although it lacks some powerful features like remote access trojan (RAT), it remains a threat for mobile banking users and financial institutions all over the world.”

To acquire login credentials, ERMAC uses overlay attacks against various financial apps to steal login credentials. It has also created new capabilities to clear an app’s cache and steal accounts saved on the device.

[coinbase]

Best Crypto Exchange for Intermediate Traders and Investors

  • Invest in cryptocurrencies and 3,000+ other assets including stocks and precious metals.

  • 0% commission on stocks - buy in bulk or just a fraction from as little as $10. Other fees apply. For more information, visit etoro.com/trading/fees.

  • Copy top-performing traders in real time, automatically.

  • eToro USA is registered with FINRA for securities trading.

30+ million Users
Securities trading offered by eToro USA Securities, Inc. (“the BD”), member of FINRA and SIPC. Cryptocurrency offered by eToro USA LLC (“the MSB”) (NMLS: 1769299) and is not FDIC or SIPC insured. Investing involves risk, and content is provided for educational purposes only, does not imply a recommendation, and is not a guarantee of future performance. Finbold.com is not an affiliate and may be compensated if you access certain products or services offered by the MSB and/or the BD

Read Next:

Finance Digest

By subscribing you agree with Finbold T&C’s & Privacy Policy

Related posts

Sign Up

or

By submitting my information, I agree to the Privacy Policy and Terms of Service.

Already have an account?

Services

IMPORTANT NOTICE

Finbold is a news and information website. This Site may contain sponsored content, advertisements, and third-party materials, for which Finbold expressly disclaims any liability.

RISK WARNING: Cryptocurrencies are high-risk investments and you should not expect to be protected if something goes wrong. Don’t invest unless you’re prepared to lose all the money you invest. (Click here to learn more about cryptocurrency risks.)

By accessing this Site, you acknowledge that you understand these risks and that Finbold bears no responsibility for any losses, damages, or consequences resulting from your use of the Site or reliance on its content. Click here to learn more.