- Researchers revealed a new version of the Android banking trojan ERMAC 3.0, which targets over 700 financial and cryptocurrency apps.
- ERMAC 3.0 shows expanded data theft methods, including improved form injection and updated control panels.
- The full source code and technical makeup of ERMAC, including its backend and frontend infrastructure, were publicly exposed online.
- Security teams highlighted major security weaknesses in the Malware’s infrastructure, such as hardcoded credentials and insecure admin access.
- These discoveries provide ways for defenders to detect and disrupt ERMAC 3.0’s activities.
Cybersecurity researchers have analyzed the Android banking trojan known as ERMAC 3.0, describing its inner workings and identifying serious flaws in the malware’s system. The trojan affects over 700 banking, shopping, and cryptocurrency apps, using advanced tactics to steal data from victims’ mobile devices.
Hunt.io reported that this new 3.0 version enhances how it targets apps and collects user information. The researchers were able to access the source code for the malware-as-a-service (MaaS) platform, including its backend built on PHP and Laravel, a React-based frontend, a Golang exfiltration server, and an Android builder tool. According to Hunt.io, “The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications.”
ERMAC was first documented by ThreatFabric in September 2021. It has been linked to an actor called DukeEugene and shares origins with other banking malware like Cerberus and BlackRock. The investigation also found that ERMAC code was passed down and modified in other malwares like Hook (a variant of ERMAC 2.0), Pegasus, and Loot.
The exposed infrastructure lets operators manage victim devices and access stolen information using a “backend command and control server,” while a frontend panel issues commands and views data. Additional features include a Golang exfiltration server for exporting stolen files and a builder tool to create custom malware for campaigns. The Android implant, written in Kotlin, specifically avoids devices located in countries of the Commonwealth of Independent States (CIS).
ERMAC 3.0 introduced encrypted communications, extra form injection methods, and a fully updated management panel. However, Hunt.io found major weaknesses including “a hardcoded JWT secret and a static admin bearer token, default root credentials, and open account registration on the admin panel.” These issues mean defenders can more easily track and disrupt operations by recognizing these flaws.
For more technical details, Hunt.io published their full report here.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- India Balances BRICS Push, Rejects Full De-Dollarization, Expands Rupee Trade
- BitMine, Whales Drive $882M Surge in Institutional Ether Buying
- Ether Gains Edge Over Bitcoin as Social Media Hype Cools: Santiment
- Ether Unstaking Queue Hits $3.8B as ETF Reserves Surge 140%
- NY Lawmaker Proposes 0.2% Crypto Tax to Fund Substance Abuse Aid
