KEY POINTS

  • Cybersecurity firm ThreatFabric published a blog post discussing the new threat
  • The malware is reportedly almost totally based on Cerberus
  • Called ERMAC, the malware poses a threat to banking and wallet apps

Malicious actors behind the advanced mobile malware Blackrock have returned with a more vicious Android banking trojan dubbed ERMAC. The malware reportedly steals financial data from banking and wallets apps, according to cybersecurity experts.

The newly discovered Android malware was reported by the Dutch cybersecurity firm ThreatFabric. Threat actors have reportedly begun ERMAC's first major campaign in the late part of August, where the malware masqueraded as Google Chrome.

Since then, ERMAC attacks expanded, including banking apps, delivery services, government applications, media players and even antivirus solutions like McAfee.

android malware infection how to protect
All Android devices running on Android 8 (Oreo) or later are affected; Google rolled out a patch last month to fix the issue. Reuters

Experts believe that hackers have their eyes on Poland.

"At the time of writing this blog we see ERMAC targeting Poland and being distributed under the guise of delivery service and government applications," ThreatFabric's CEO Cengiz Han Sahin in a blog post.

ERMAC is almost entirely based on the infamous banking trojan Cerberus. Like its primogenitor and other banking malware, ERMAC is developed to steal contact information and text messages.

It can also open arbitrary applications and execute overlay attacks against a vast range of financial apps to obtain login credentials. The banking malware also comes with features enabling it to clear the cache of a particular app and steal accounts saved on the device.

"The story of ERMAC shows one more time how malware source code leaks can lead not only to slow evaporation of the malware family but also bring new threats/actors to the threat landscape," Threatfabric said.

"Being built on Cerberus basement, ERMAC introduces a couple of new features. Although it lacks some powerful features like RAT, it remains a threat for mobile banking users and financial institutions all over the world," the cybersecurity firm noted in the same blog post.

ThreatFabric also revealed the list of ERMAC targeted applications. This includes Usługi Bankowe, WiZink, tu banco senZillo, Santander Argentina, Touch 24 Banking BCR and Volksbank hausbanking.

Apps like My AMP, Bankwest, CommBiz, CUA Mobile Banking, HSBC Australia, ING Australia Banking, Macquarie Authenticator, Macquarie Mobile Banking, ME Bank, NAB Mobile Banking, NPBS Mobile Banking, myRAMS, Suncorp Bank, UBank Mobile Banking, CA Mobile, Tangerine Mobile Banking and Bitcoin & Ripple Wallet, are also included in the list of ERMAC-targeted apps.

At the time of this writing, the cybersecurity firms listed 378 banking and wallet apps targeted by the said malware.