An infamous Android banking trojan has gotten a major update, growing more dangerous - but also more expensive.
Cybersecurity researchers from Cyble and ESET recently discovered version 2.0 of ERMAC being advertised on the dark web, for a monthly subscription rate of $5,000 (up from $3,000 a month for the earlier version).
The spike in subscription cost is not just due to inflation - it’s also due to version 2.0 coming with a lot more features. It is now capable of stealing login information and other sensitive data from 467 applications, up from the previous 378.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
Overlaying legit apps
When a victim installs ERMAC on its endpoint, the malware requests permissions to the Accessibility Service, which give it complete control over the device. Researchers have found that the trojan grants itself 43 permissions, including SMS access, contact access, system alert window creation, audio recording, and full storage read and write access.
After that, it’s able to mimic different apps and steal sensitive data (opens in new tab). Once it gets the necessary permissions, it scans the device for apps installed, and sends the data over to its C2 server. The server then responds with injection modules in encrypted HTML form, which the trojan decrypts and places into the Shared Preference file under “setting.xml” filename. When the victim tries to launch an app, the trojan will instead launch a phishing page over the actual app’s interface, thus harvesting the data.
Researchers have already spotted ERMAC 2.0 in the wild, as well. An unknown threat actor tried to impersonate (opens in new tab) the Bold Food application (a food delivery service in Europe) and attack consumers in Poland.
> This dangerous new Android trojan can hijack your Facebook account (opens in new tab)
> This nasty Android trojan tricks you with a fake Google Play Store page (opens in new tab)
> Beware, this new Android banking malware could hijack your phone (opens in new tab)
A fake Bolt Food website was brought up (defunct at press time), which was most likely advertised through social media and phishing emails.
Fake apps are a common weapon in cybercriminals’ arsenal, which is why it’s important to only download apps from a known, legitimate source.
- Prevent malware from wreaking havoc with the best antivirus solutions around (opens in new tab)
Via: BleepingComputer (opens in new tab)