Ermac 2.0 is used to steal the credentials of banking and cryptocurrency apps, impersonating other legitimate applications; Cyble Research Labs developers discovered how it is possible to rent the trojan in question, paying $ 5000 per month.
The previous version, Ermac 1.0, was also available for rental but at a lower figure, $ 3000 per month, the increase in the rate is indicative of the greater potential of the new version; In fact, consider that initially the Trojan used 378 Android apps to hide and perpetrate its illegal purposes, the new version rises to a 467 app wallet.
As you can see from the images just below, the malware is distributed through false websites, created specifically and similar in all respects to the originals, or through fake browser update announcements.
Once fell into the trap, the unsuspecting user discharges an application that requires 43 authorizations (including access to external memory, access to text messages, activation of accessibility services and much more), with The aim of taking total control of the infected device. Once the authorizations are granted, the Trojan enables the overlapping activity and sends a list of applications installed on the device to the Server Command and Control; These are then replaced with false versions specially created, without the user being able to notice anything.
When using one of these apps, you are actually addressed to an HTML Phishing page, which provides the theft of the credentials and sends them to the server responsible for the purpose. Among the hundreds of applications involved, for example, UNOCOIN (Indian cryptographic app) and several bank applications such as the Japanese Bitbank, the Indian Bank IDBI, the Australian Greater Bank and the Boston Santander Bank.
Cyble researchers also note how Ermac is based on a well -known malware called Cerberus, which means that those behind Ermac 2.0 will certainly continue to create new and more advanced versions of the Trojan; The fact that "rental" is available further expands its danger, given that anyone can decide to use it to pursue their purposes.
Although it seems that the devices equipped with Android 11 and Android 12 are regarding safe (due to the restrictions imposed on the abuse of the accessibility service with respect to previous versions), the advice to safeguard their safety are always the same: download only applications from the Play Store, avoiding little -part sources of little known and wary of unknown developers.
Written by Matteo with love from Italy