Hackers paying $5K/month to gain access to 467 Android apps to steal banking info
ESET cybersecurity researchers have discovered a new version of 2021's Android Banking Trojan ERMAC that is targeting 467 apps for stealing credentials and rob you of your hard-earned money.
A new #Android banker ERMAC 2.0 impersonates #Bolt Food and targets Polish users.
— ESET research (@ESETresearch) May 18, 2022
Available for rent on underground forums for $5K/month since March 2022, ERMAC 2.0 already has an active campaign. #ESETresearch@LukasStefanko 1/3 pic.twitter.com/hGeD4ZSwve
ERMAC 2.0 aims to steal victims’ credentials for financial and cryptocurrency apps and it does so by impersonating apps.
Cyble Research Labs probed further and found that bad actors can rent it for a monthly fee of $5,000. It's worth mentioning that ERMAC 1.0, which targeted 378 apps, was being rented out for $3,000 a month, so the new high fee reflects the increased potential of the new version.
The malware is being spread through fake websites. For instance, a fake version of Bolt Food's site, which is a famous food delivery platform in Europe, has been created to target Polish users.
It's also being distributed through scammy browser update sites.
Once a user falls prey and downloads a fraudulent app, it asks for as many as 43 permissions, such as allowing it to read from external storage and letting it read text messages, and also asks the user to turn on the Accessibility Service. When that's granted, it starts misusing services by enabling overlay activity and granting permissions.
The malware then sends a list of apps installed on the victim's Android device to the Command and Control server. It then receives a response with the help of which it discreetly overlays legitimate apps and gains access to sensitive data and dangerous authorizations. India's crypto app Unocoin was amongst the apps targeted this way.
The malware then stores an HTML phishing page on the device and when the victim uses the targeted genuine app, the phishing page is displayed instead to steal credentials, which are then sent back to the Command and Control server.
The hacker then uses the harvested information to steal cryptocurrency from the user's account.
The report also mentions some of the phishing pages that are being used to trick the victims and includes banking applications of several well-known organizations such as Japan's bitbank, India's IDBI Bank, Australia's Greater Bank, and Boston-based Santander Bank.
Banking applications targeted by ERMAC 2.0
Cyble notes that ERMAC is based on a well-known malware called Cerberus and cautions that the people behind ERMAC 2.0 will continue to make new versions with enhanced capabilities.
BleepingComputer says that thanks to the restrictions placed on Accessibility Service abuse, phones running Android 11 and 12 don't have much to worry about, but still advises users to avoid downloading apps from outside Google's Play Store, especially those that don't seem legitimate. Perhaps Apple has a point after all when it talks about not allowing sideloading?
If you don't want to leave your security to chance, you can use a service like ExpressVPN.
Things that are NOT allowed: