Cybersecurity researchers at Eset discovered a new version of the Ermac malware, which is a banking trojan that drains its victims' accounts.
According to researchers at Eset, Ermac 2.0 stole the personal data of its victims from 467 financial and cryptocurrency applications. The trick is to imitate these applications.
Then according to Cyble Research Labs, hackers were able to rent this trojan at a cost of USD 5000 per month. Ermac 1.0, which targets 368 applications, can be rented at a rate of USD 3000 per month. This higher rental fee demonstrates the higher capabilities and potential of Ermac 2.0.
Ermac 2.0 is spread via fake websites. For example, a clone of the Bolt Food website - a food delivery platform in Europe - which was created to target users in Poland, as quoted by us from Phone Arena, Sunday (29/5/2022).
The spread is also done through fake site update sites.
When the victim is deceived and downloads the fake application, Ermac 2.0 will ask for access to data on the cellphone, including permission to read data from external storage and write SMS.
The victim will also be asked to turn on the Accessibility Service. And once those permissions are granted, the malware will start abusing the service by turning on the overlay activity and allowing various other permissions.
Then the malware will send a list of applications installed on the victim's phone to the Command and Control server. Then it will receive a response containing any application information that needs to be accessed because it has sensitive data.
In the researcher's note, an Indian crypto application called Unocoin is one of the applications targeted by Ermac 2.0.
The malware will then store the phishing HTML page on the device, and when the victim uses the original targeted application, the phishing page will be displayed to steal the victim's login data, which is then sent back to the Command and Control server.
The next step is of course predictable. Hackers will use the stolen data to drain money and crypto assets from victims' accounts.
Various reports also state that the phishing page is used to deceive victims who are customers of various banks in various countries. These include Bitbank in Japan, IDBI Bank in India, Greater Bank in Australia, and Santander Bank from Boston.
According to Cyble, Ermac is based on a well-known malware called Cerberus, and warns that the makers of Ermac 2.0 will continue to make new versions with more advanced capabilities.
Fortunately, because of the new restrictions in Accessibility Service Android 11 and 12, users of phones with these OSes don't have to worry too much. But you still have to be careful when there are applications that ask for a lot of access to the phone.