The source code for version 3 of the ERMAC Android banking trojan has been leaked online, exposing the internals of the malware-as-a-service platform and the operator’s infrastructure.
The code base was discovered in an open directory by Hunt.io researchers while scanning for exposed resources in March 2024.
They located an archive named Ermac 3.0.zip, which contained the malware’s code, including backend, frontend (panel), exfiltration server, deployment configurations, and the trojan’s builder and obfuscator.
The researchers analyzed the code, finding that it significantly expanded the targeting capabilities compared to previous versions, with more than 700 banking, shopping, and cryptocurrency apps.
ERMAC was first documented in September 2021 by ThreatFabric - a provider of online payment fraud solutions and intelligence for the financial services sector, as an evolution of the Cerberus banking trojan operated by a threat actor known as ‘BlackRock.’
ERMAC v2.0 was spotted by ESET in May 2022, rented to cybercriminals for a monthly fee of $5,000, and targeting 467 apps, up from 378 in the previous version.
In January 2023, ThreatFabric observed BlackRock promoting a new Android malware tool named Hook, which appeared to be an evolution of ERMAC.
ERMAC v3.0 capabilities
Hunt.io found and analyzed ERMAC’s PHP command-and-control (C2) backend, React front-end panel, Go-based exfiltration server, Kotlin backdoor, and the builder panel for generating custom trojanized APKs.
According to the researchers, ERMAC v3.0 now targets sensitive user information in more than 700 apps.
... continue reading