- Cybersecurity firm ThreatFabric published a blog post discussing the new threat
- The malware is reportedly almost totally based on Cerberus
- Called ERMAC, the malware poses a threat to banking and wallet apps
Malicious actors behind the advanced mobile malware Blackrock have returned with a more vicious Android banking trojan dubbed ERMAC. The malware reportedly steals financial data from banking and wallets apps, according to cybersecurity experts.
The newly discovered Android malware was reported by the Dutch cybersecurity firm ThreatFabric. Threat actors have reportedly begun ERMAC’s first major campaign in the late part of August, where the malware masqueraded as Google Chrome.
Since then, ERMAC attacks expanded, including banking apps, delivery services, government applications, media players and even antivirus solutions like McAfee.
Experts believe that hackers have their eyes on Poland.
“At the time of writing this blog we see ERMAC targeting Poland and being distributed under the guise of delivery service and government applications,” ThreatFabric’s CEO Cengiz Han Sahin in a blog post.
ERMAC is almost entirely based on the infamous banking trojan Cerberus. Like its primogenitor and other banking malware, ERMAC is developed to steal contact information and text messages.
It can also open arbitrary applications and execute overlay attacks against a vast range of financial apps to obtain login credentials. The banking malware also comes with features enabling it to clear the cache of a particular app and steal accounts saved on the device.
“The story of ERMAC shows one more time how malware source code leaks can lead not only to slow evaporation of the malware family but also bring new threats/actors to the threat landscape,” Threatfabric said.
“Being built on Cerberus basement, ERMAC introduces a couple of new features. Although it lacks some powerful features like RAT, it remains a threat for mobile banking users and financial institutions all over the world,” the cybersecurity firm noted in the same blog post.