This Android malware targets passwords from almost 500 apps

System Hardening Android
(Image credit: Google)

An infamous Android banking trojan has gotten a major update, growing more dangerous - but also more expensive.

Cybersecurity researchers from Cyble and ESET recently discovered version 2.0 of ERMAC being advertised on the dark web, for a monthly subscription rate of $5,000 (up from $3,000 a month for the earlier version).

The spike in subscription cost is not just due to inflation - it’s also due to version 2.0 coming with a lot more features. It is now capable of stealing login information and other sensitive data from 467 applications, up from the previous 378. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

<a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" target="_blank">Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the <a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" data-link-merchant="polls.futureplc.com"" target="_blank">end of this survey to get the bookazine, worth $10.99/£10.99.

Overlaying legit apps

When a victim installs ERMAC on its endpoint, the malware requests permissions to the Accessibility Service, which give it complete control over the device. Researchers have found that the trojan grants itself 43 permissions, including SMS access, contact access, system alert window creation, audio recording, and full storage read and write access.

After that, it’s able to mimic different apps and steal sensitive data. Once it gets the necessary permissions, it scans the device for apps installed, and sends the data over to its C2 server. The server then responds with injection modules in encrypted HTML form, which the trojan decrypts and places into the Shared Preference file under “setting.xml” filename. When the victim tries to launch an app, the trojan will instead launch a phishing page over the actual app’s interface, thus harvesting the data.

Researchers have already spotted ERMAC 2.0 in the wild, as well. An unknown threat actor tried to impersonate the Bold Food application (a food delivery service in Europe) and attack consumers in Poland. 

A fake Bolt Food website was brought up (defunct at press time), which was most likely advertised through social media and phishing emails. 

Fake apps are a common weapon in cybercriminals’ arsenal, which is why it’s important to only download apps from a known, legitimate source. 

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.