Skip to content

New Android malware targets financial data from over 370 banking apps

New Android malware targets financial data from over 370 banking apps

Researchers have discovered a new Android banking trojan named ERMAC that has its origins in the notorious Cerberus malware, capable of stealing data from over 370 banking and wallet apps.

The first efforts using ERMAC which was developed by the same group that created the BlackRock mobile virus is thought to have started in late August under cover of the Google Chrome app, according to the CEO of ThreatFabric, Cengiz Han Sahin, who announced in an emailed statement that apparently:

“The new trojan already has active distribution campaigns and is targeting 378 banking and wallet apps with overlays.”

It has now been discovered that banking, media players, delivery services, government applications, and antivirus solutions such as McAfee are all being targeted by the assaults.

Forum posts reveal findings

Notably, the findings of the Dutch cybersecurity firm, which are almost entirely based on the notorious banking trojan Cerberus, come from forum posts made by an actor named DukeEugene last month on August 17.  

DukeEugene invited prospective customers:

“To rent a new android botnet with wide functionality to a narrow circle of people for $3,000 a month.”

In particular, DukeEugene is well-known for his role as the actor behind the BlackRock campaign, which came about in July 2020. The information stealer and keylogger derived from another banking strain known as Xerxes, the LokiBot Android banking Trojan. 

It is noteworthy; the source code was made public by the malware’s creator in May of this year, and is among the most sophisticated data theft tools ever developed.

A threat for mobile and financial institutions

Interestingly, ThreatFabric also noted the absence of new BlackRock samples after the advent of ERMAC, suggesting “DukeEugene switched from using BlackRock to ERMAC.” Like Cerberus, the newly found strain uses obfuscation and Blowfish encryption to interact with the command-and-control server.

The Dutch researchers said about ERMRAC:

Although it lacks some powerful features like remote access trojan (RAT), it remains a threat for mobile banking users and financial institutions all over the world.”

To acquire login credentials, ERMAC uses overlay attacks against various financial apps to steal login credentials. It has also created new capabilities to clear an app’s cache and steal accounts saved on the device.


Best Crypto Exchange for Intermediate Traders and Investors

  • Invest in 70+ cryptocurrencies and 3,000+ other assets including stocks and precious metals.

  • 0% commission on stocks - buy in bulk or just a fraction from as little as $10. Other fees apply. For more information, visit

  • Copy top-performing traders in real time, automatically.

  • eToro USA is registered with FINRA for securities trading.

30+ million Users
eToro is a multi-asset investment platform. The value of your investments may go up or down. Your capital is at risk. eToro USA LLC does not offer CFDs, only real Crypto assets available. Don’t invest unless you’re prepared to lose all the money you invest.

Read Next:

Weekly Finance Digest

By subscribing you agree with Finbold T&C’s & Privacy Policy

Related posts

Disclaimer: The information on this website is for general informational and educational purposes only and does not constitute financial, legal, tax, or investment advice. This site does not make any financial promotions, and all content is strictly informational. By using this site, you agree to our full disclaimer and terms of use. For more information, please read our complete Global Disclaimer.