A mass phishing campaign has been discovered delivering malicious Android executables to drop ERMAC banking trojan.

About the ERMAC campaign

  • According to Cyble researchers, threat actors mimicked several popular and legitimate websites to deliver ERMAC in the ongoing phishing campaign.
  • They manipulated users to download fake applications impersonating Google Wallet, PayPal, VidMate, and Snapchat.
  • Further, the threat actors used typosquatted domains of popular Android application hosting platforms such as Google PlayStore, APKPure, and APKCombo.

ERMAC timeline/history

ERMAC Android malware was first discovered in late August 2021, targeting users in Poland.
  • ERMAC 1.0 utilized 378 apps and was being rented for $3,000 a month.
  • ERMAC 2.0, discovered in May 2022, is available on underground cybercrime forums for rent at $5K/month and can target 467 applications.

Key capabilities

  • ERMAC is capable of stealing sensitive data such as contacts and SMSes from infected devices.
  • The malware can capture the list of installed applications to steal credentials by loading phishing pages on the victim’s device screen.

Conclusion

Impersonating popular applications and websites enable hackers to launch promising and convincing phishing campaigns. The recent upgrade of ERMAC malware indicates that Android users have to be extra careful with downloading and accessing apps. Reduce the risk of falling victim to such campaigns by using only official platforms.
Cyware Publisher

Publisher

Cyware