ESET cybersecurity researchers have discovered a new version of the 2021 Android banking Trojan ERMAC. It targets 467 apps to steal credentials and steal hard-earned money.
Malware is spreading through fake websites. For example, a fake version of the site of Bolt Food, a well-known food delivery platform in Europe, was created for Polish users.
When a user preys and downloads a malicious app, it demands as many as 43 permissions, including allowing reading from external storage and reading text messages, and demanding that accessibility services be turned on. If it is allowed, it will start misusing the service by enabling overlay activity and granting permissions.
The malware then sends a list of apps installed on the victim’s Android device to the command and control server. Then you receive the response by carefully overlaying the legitimate app to gain access to sensitive data and dangerous authentication. The Indian crypto app Unocoin was one of the apps targeted this way.
The malware then stores the HTML phishing page on the device, and when the victim uses the targeted real app, the phishing page is displayed instead, the credentials are stolen and sent back to the command and control server.
Hackers then use the information they collect to steal cryptocurrencies from your account.
Banking applications covered by ERMAC 2.0
Cyble points out that ERMAC is based on a well-known malware called Cerberus and warns that the people behind ERMAC 2.0 will continue to create new versions with extensions.