A new version of the ERMAC Android banking trojan has been released which allows the malware to target a wider range of applications to steal account credentials and cryptocurrency from.
In addition to new features, ERMAC 2.0 has also seen its price increase from $2,000 to $5,000 per month on dark web forums where cybercriminals purchase access to the malware to use in their cyberattacks.
Once deployed, the goal of this trojan is to steal login credentials from unsuspecting users which are then used to take over their banking and cryptocurrency accounts to commit fraud according to BleepingComputer.
Distributed through fake apps
Just like with other malware strains, ERMAC 2.0 is distributed using fake apps which are downloaded and installed directly onto an Android smartphone as opposed to through the Google Play Store.
Security researchers at the cybersecurity firm ESET discovered that a fake Bolt Food application is currently being used to distribute ERMAC 2.0 in Poland. The malicious app impersonates the legitimate food delivery service but, fortunately, the fake site used by the cybercriminals behind this latest malware campaign has been taken down.
Before it was taken down, links to the site were likely sent to potential victims through phishing emails, social media posts or by SMS. If a user did manage to download the fake app via the site, a permission request popped up when the app first opened asking them to give it full control of their device.
With access to Android’s Accessibility Services, the fake app is able to serve application overlays that are used to steal login details from users who think they are inputting their credentials in Bolt Food’s legitimate app.
ERMAC 2.0 supports an extensive list of apps
While version 1.0 of ERMAC was capable of targeting 378 different applications including the apps of many popular banks, version 2.0 has bumped up the number of supported apps to 467.
Going forward, we’ll likely see other campaigns impersonating popular apps in order to distribute ERMAC 2.0. According to a blog post from the threat intelligence company Cyble, ERMAC’s creators already have a number of overlays set up to steal user credentials from IDBI Bank, Santander, GreaterBank and Bitbank.
One of the reasons that ERMAC 2.0 is so dangerous is due to the number of permissions it grants itself upon installation. With access to 43 different permissions, the malware is able to access your SMS messages, contacts, microphone and device storage.
How to protect yourself from Android malware and banking trojans
The simplest and easiest way to protect yourself and your devices from malware and banking trojans is not to install apps from unknown sources and use the Google Play Store, Amazon Appstore or the Samsung Galaxy Store.
Although installing an app using an APK file can be fast and convenient, these installation files aren’t checked for malware and other threats which could lead to you falling victim to fraud or even worse, identity theft.
At the same time, you should always be wary when granting permissions in Android. Not every app needs to access your camera, microphone or storage to function properly and cybercriminals often exploit Android’s Accessibility Services to give their fake apps more features.
