Researchers have discovered a new Android banking trojan named ERMAC that has its origins in the notorious Cerberus malware, capable of stealing data from over 370 banking and wallet apps.
The first efforts using ERMAC which was developed by the same group that created the BlackRock mobile virus is thought to have started in late August under cover of the Google Chrome app, according to the CEO of ThreatFabric, Cengiz Han Sahin, who announced in an emailed statement that apparently:
“The new trojan already has active distribution campaigns and is targeting 378 banking and wallet apps with overlays.”
It has now been discovered that banking, media players, delivery services, government applications, and antivirus solutions such as McAfee are all being targeted by the assaults.
Forum posts reveal findings
Notably, the findings of the Dutch cybersecurity firm, which are almost entirely based on the notorious banking trojan Cerberus, come from forum posts made by an actor named DukeEugene last month on August 17.
DukeEugene invited prospective customers:
“To rent a new android botnet with wide functionality to a narrow circle of people for $3,000 a month.”
In particular, DukeEugene is well-known for his role as the actor behind the BlackRock campaign, which came about in July 2020. The information stealer and keylogger derived from another banking strain known as Xerxes, the LokiBot Android banking Trojan.
It is noteworthy; the source code was made public by the malware’s creator in May of this year, and is among the most sophisticated data theft tools ever developed.
A threat for mobile and financial institutions
Interestingly, ThreatFabric also noted the absence of new BlackRock samples after the advent of ERMAC, suggesting “DukeEugene switched from using BlackRock to ERMAC.” Like Cerberus, the newly found strain uses obfuscation and Blowfish encryption to interact with the command-and-control server.
The Dutch researchers said about ERMRAC:
“Although it lacks some powerful features like remote access trojan (RAT), it remains a threat for mobile banking users and financial institutions all over the world.”
To acquire login credentials, ERMAC uses overlay attacks against various financial apps to steal login credentials. It has also created new capabilities to clear an app’s cache and steal accounts saved on the device.