New Android malware targets financial data from over 370 banking apps

New Android malware targets financial data from over 370 banking apps
9 months ago
2 mins read

Researchers have discovered a new Android banking trojan named ERMAC that has its origins in the notorious Cerberus malware, capable of stealing data from over 370 banking and wallet apps.

The first efforts using ERMAC which was developed by the same group that created the BlackRock mobile virus is thought to have started in late August under cover of the Google Chrome app, according to the CEO of ThreatFabric, Cengiz Han Sahin, who announced in an emailed statement that apparently:

“The new trojan already has active distribution campaigns and is targeting 378 banking and wallet apps with overlays.”

It has now been discovered that banking, media players, delivery services, government applications, and antivirus solutions such as McAfee are all being targeted by the assaults.

Forum posts reveal findings

Notably, the findings of the Dutch cybersecurity firm, which are almost entirely based on the notorious banking trojan Cerberus, come from forum posts made by an actor named DukeEugene last month on August 17.  

DukeEugene invited prospective customers:

“To rent a new android botnet with wide functionality to a narrow circle of people for $3,000 a month.”

In particular, DukeEugene is well-known for his role as the actor behind the BlackRock campaign, which came about in July 2020. The information stealer and keylogger derived from another banking strain known as Xerxes, the LokiBot Android banking Trojan. 

It is noteworthy; the source code was made public by the malware’s creator in May of this year, and is among the most sophisticated data theft tools ever developed.

A threat for mobile and financial institutions

Interestingly, ThreatFabric also noted the absence of new BlackRock samples after the advent of ERMAC, suggesting “DukeEugene switched from using BlackRock to ERMAC.” Like Cerberus, the newly found strain uses obfuscation and Blowfish encryption to interact with the command-and-control server.

The Dutch researchers said about ERMRAC:

Although it lacks some powerful features like remote access trojan (RAT), it remains a threat for mobile banking users and financial institutions all over the world.”

To acquire login credentials, ERMAC uses overlay attacks against various financial apps to steal login credentials. It has also created new capabilities to clear an app’s cache and steal accounts saved on the device.

What we like:

Highly credible broker

Perfect for beginners

Protected by insurance

80+ cryptocurrencies to invest

Latest News

Join us on Twitter or Telegram

Or follow us on Flipboard Flipboard

Like the article? Vote up or share on your social media

Recommended content

Weekly Finance Digest

By subscribing you agree with Finbold T&C’s

Jordan Major

Jordan is an investor and market analyst. He's passionate about stocks, ETFs, blockchain, and digital assets. At Finbold.com, he delves into the technicalities to obtain future trends for new market traders and gives insights into user-friendly platforms for beginners.