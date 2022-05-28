A new version of the ERMAC banking malware already hits 467 applications of financial institutions around the world, including banking software, digital wallets and cryptocurrencies. The plague works by stealing credentials and sending them back to criminals, including institutions operating in Brazil, and is usually disguised behind fake versions of known software.

This was the case in one of the first large-scale campaigns detected with ERMAC, focused on users in Poland. According to information from the security company ESET, the malware was disguised as Bolt Food, a popular delivery software in the country, and was delivered from a fraudulent website, which induced the download of the malicious solution from emails. phishing scams, social media posts and tainted search engine ads.

Once installed, ERMAC scans the victim’s device for installed apps of interest and sends this information to a server under the command of the criminals. It is through this infrastructure, too, that the pest receives orders to act, inserting fake screens over the legitimate ones, so that the victim enters the password in an interface controlled by the crooks, who can carry out operations behind false loading screens.

the new #Android banker ERMAC 2.0 impersonates #Bolt Food and targets 🇵🇱 Polish users.

Available for rent on underground forums for $5K/month since March 2022, ERMAC 2.0 already has an active campaign. #ESETresearch @LukasStefanko 1/3 pic.twitter.com/hGeD4ZSwve — ESET research (@ESETresearch) May 18, 2022

This is possible due to the abuse of the Android Accessibility Service, a system that serves to facilitate the use of devices but which is increasingly being used by criminals in practices of this type. The request for few permissions also helps to prevent the user from detecting problems, while in other cases, the malware even requested more than 40 authorizations, also including access to the camera, gallery, audio recorder and all memory, indicating possible operations. of personal data theft.

New version of malware has been in action since March

According to ESET, the new version of ERMAC has been available since March this year and has been sold on cybercrime-oriented dark web forums for a subscription of US$5,000 per month, approximately R$24,000. It is a low value for the high destructive power of the pest, mainly due to its versatility, making it possible to launch campaigns against users on an international scale.

Cyble analysts also looked into the malware and found similarities between ERMAC 2.0 and another banking trojan, Cerberus. On the other hand, security experts point out that the plague may not be as effective as of Android version 11, since additional security systems were implemented precisely to make it difficult for criminals who abuse the Accessibility Service to steal data.

Still, it follows the usual guidance for users to avoid downloading applications outside the Google Play store or official manufacturer marketplaces. Ideally, ignore requests that arrive via email, unless you are sure they are legitimate, by not clicking on links or downloading from such means.

In addition, it is worth keeping the operating system always up to date as, as mentioned, devices that support the latest versions of Android are not so susceptible to attacks of this type. Also, having protection and security software installed helps to avoid the most common threats against smartphones.

Source: ESET (Twitter)Cyble