{
	"id": "a2e5d1d1-f77b-45f3-a968-df9a6f581d64",
	"created_at": "2026-04-06T00:15:28.846864Z",
	"updated_at": "2026-04-10T03:21:41.717254Z",
	"deleted_at": null,
	"sha1_hash": "629094af794cc70314e82ae8afcb65339ec6a30d",
	"title": "ERMAC Malware Back In Action: New Threats And Attack Methods",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2289648,
	"plain_text": "ERMAC Malware Back In Action: New Threats And Attack\r\nMethods\r\nPublished: 2022-05-25 · Archived: 2026-04-05 14:33:09 UTC\r\nRead Cyble's analysis of ERMAC 2.0, a resurfaced Android Banking Trojan that targets over 400 applications.\r\nCyble Research Labs came across a Twitter post wherein a researcher mentioned the distribution of ERMAC 2.0.\r\nERMAC is an Android Banking Trojan that was first discovered in late August 2021, when it was found targeting\r\nPoland. ERMAC 1.0 was capable of stealing the credentials of 378 applications. The Threat Actor was renting it\r\nout for $3K/month on a cybercrime forum.\r\nRecently, Cyble Research Labs observed that an upgraded version – ERMAC 2.0 – has been available on\r\nunderground forums for rent at $5K/month and targets 467 applications for stealing credentials.\r\nFigure 1 – Cyber Crime Forum selling ERMAC 2.0\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/05/25/ermac-back-in-action/\r\nPage 1 of 11\n\nWe have observed that the ERMAC 2.0 is being delivered through fake sites. For example, via the Bolt Food site –\r\n a delivery platform that provides high-quality food delivery services. The fake app impersonates the Bolt Food\r\nAndroid application and targets Polish Bolt Food users.\r\nFigure 2 – Fake Bolt Food site distributing malware\r\nApart from the fake Bolt Food site, EMRAC 2.0 spreads through fake browser update sites, as shown in Figure 3.\r\nFigure 3 – Fake browser update site (Source – MalwareHunterTeam)\r\nThe below image shows the Control Panel of ERMAC 2.0 Banking Trojan. In the UI, the Threat Actor (TA) has\r\nnamed it “ERMVC PVNEL.\r\nhttps://blog.cyble.com/2022/05/25/ermac-back-in-action/\r\nPage 2 of 11\n\nFigure 4 – Control Panel\r\nTechnical Analysis   \r\nAPK Metadata Information   \r\nApp Name: Bolt Food \r\nPackage Name: com.kototomumeci.nacipiyi   \r\nSHA256 Hash: 2cc727c4249235f36bbc5024d5a5cb708c0f6d3659151afc5ae5d42d55212cb5 \r\nFigure 5 shows the metadata information of an application.  \r\nFigure 5 – App Metadata Information \r\nManifest Description  \r\nThe malicious application asks for 43 permissions, of which the TA exploits 12. The malware’s harmful permission\r\nrequests are listed below:  \r\nPermission    Description  \r\nREQUEST_INSTALL_PACKAGES  Allows an application to request installing    packages \r\nhttps://blog.cyble.com/2022/05/25/ermac-back-in-action/\r\nPage 3 of 11\n\nCALL_PHONE \r\nAllows an application to initiate a phone call   without\r\ngoing through the Dialer user    interface for the user\r\nto confirm the call \r\nRECEIVE_SMS  Allows an application to receive SMS messages \r\nREAD_SMS  Allows an application to read SMS messages \r\nSEND_SMS  Allows an application to send SMS    messages \r\nREAD_CONTACTS \r\nAllows an application to read the user’s    contacts\r\ndata \r\nREAD_PHONE_STATE  Allows read access to the device’s phone    number \r\nSYSTEM_ALERT_WINDOW \r\nAllows an app to create windows shown on    top of all\r\nother apps. \r\nREAD_EXTERNAL_STORAGE  Allows an application to read from external storage   \r\nRECORD_AUDIO  Allows an application to record audio   \r\nWRITE_EXTERNAL_STORAGE  Allows an application to write to external    storage \r\nSource Code Review  \r\nApart from the application’s subclass, the rest of the components identified from the Manifest file are missing. We\r\ncan thus infer that the application is packed.  \r\nFigure 6 – Manifest File \r\nUpon execution, the malicious application unpacks the DEX file present in the assets folder and then loads the\r\nclasses.\r\nIn this case, the dropped dex file name is “pqiRsn.json,” which has all the missing classes\r\nThe strings present in the classes are encoded using base64 and encrypted using the AES-128-bit algorithm.\r\nhttps://blog.cyble.com/2022/05/25/ermac-back-in-action/\r\nPage 4 of 11\n\nThe Secret Key and IVparameter were dumped during dynamic analysis. Both Secret Key and IVparameter are used\r\nto decrypt hardcoded strings present in the file as well as encrypt the data sent to the C\u0026C server. The below image\r\nexplains the decryption process.\r\nFigure 7 – Encryption and Decryption Technique\r\nOn installing the application, it prompts the user to turn on the Accessibility Service. When the victim grants this\r\npermission, it starts abusing services by auto-enabling overlay activity and auto-granting permissions.\r\nFigure 8 – Accessibility Service\r\nAfter granting the Accessibility permission, the malware sends a list of installed applications on the victim’s\r\nAndroid device to the C\u0026C server. The malware then downloads and installs the injection modules of targeted\r\napplications based on this application list.\r\nFigure 9 showcases the C\u0026C communications from the victim’s device, which sends the details of installed\r\napplications and receives a response, including a list of targeted applications to perform overlay activity. At the time\r\nof our analysis, it was observed that the “Unocoin” wallet was the targeted application by the attacker.\r\nhttps://blog.cyble.com/2022/05/25/ermac-back-in-action/\r\nPage 5 of 11\n\nFigure 9 – Sending application list and receiving the response for the targeted app\r\nThe malware then receives an encrypted HTML phishing page, which will be decrypted and stored into the Shared\r\nPreference file named “setting.xml” with the action status, as shown in the figure below.\r\nFigure 10 – Downloaded injection saved in Shared Preference file\r\nAs soon as the victim interacts with a targeted genuine application, the injected phishing page is displayed through\r\nsetting.xml  that can be used for credential harvesting.\r\nFigure 11 shows the phishing page for “Unocoin.”  The malware sends the start_inject command to the C\u0026C server\r\nbefore sending the credentials.\r\nhttps://blog.cyble.com/2022/05/25/ermac-back-in-action/\r\nPage 6 of 11\n\nFigure 11 – Loading phishing page\r\nThe harvested credentials are sent to the same C\u0026C server in the encrypted format, as shown in Figure 12. ERMAC\r\n2.0 uses the command logs for code injection as well as data exfiltration functionalities.\r\nFigure 12 – Sending credentials to the C\u0026C server\r\nThe TA can then use these credentials to steal cryptocurrency from the victim’s account.\r\nThe below image shows the TA’s phishing pages used to trick the victims into falling for a phishing scheme while\r\nattempting to access genuine applications.\r\nFigure 13 – Fake injected window targeting different applications\r\nCyble Research Labs witnessed that the malware has functionalities to target various banking applications of several\r\nbanks worldwide.\r\nThe commands used by ERMAC 2.0 to execute malicious operations are:\r\nhttps://blog.cyble.com/2022/05/25/ermac-back-in-action/\r\nPage 7 of 11\n\nCommand  Description \r\ndownloadingInjections  Sends the application list to download injections\r\nlogs  Sends injection logs to the server\r\ncheckAP Check the application status and send it to the server \r\nregistration Sends device data \r\nupdateBotParams Sends the updated bot parameters \r\ndownloadInjection Used to receive the phishing HTML page \r\nConclusion \r\nThe Threat Actor behind ERMAC used the leaked code from a well-known malware variant named “Cerberus” and\r\nmodified the code to sell the Android botnets in cybercrime forums. Interestingly, we observed that ERMAC 2.0 is\r\ndistributed rapidly through various phishing sites, primarily targeting Polish users.  \r\nERMAC 2.0 steals credentials from different crypto wallets and targets multiple banking applications worldwide.\r\nWe foresee that the TA behind ERMAC 2.0 will continue to develop new versions with more targeted applications,\r\nnew TTPs, and new delivery methods.\r\nOur Recommendations \r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:   \r\nHow to prevent malware infection? \r\nDownload and install software only from official app stores like Google Play Store or the iOS App Store. \r\nUse a reputed anti-virus and internet security software package on your connected devices, such as PCs,\r\nlaptops, and mobile devices. \r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device\r\nwhere possible. \r\nBe wary of opening any links received via SMS or emails delivered to your phone. \r\nEnsure that Google Play Protect is enabled on Android devices. \r\nBe careful while enabling any permissions. \r\nKeep your devices, operating systems, and applications updated. \r\nHow to identify whether you are infected? \r\nRegularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices. \r\nKeep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. \r\nhttps://blog.cyble.com/2022/05/25/ermac-back-in-action/\r\nPage 8 of 11\n\nWhat to do when you are infected? \r\nDisable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile\r\nData. \r\nPerform a factory reset. \r\nRemove the application in case a factory reset is not possible. \r\nTake a backup of personal media Files (excluding mobile applications) and perform a device reset. \r\nWhat to do in case of any fraudulent transaction? \r\nIn case of a fraudulent transaction, immediately report it to the concerned bank. \r\nWhat should banks do to protect their customers? \r\nBanks and other financial entities should educate customers on safeguarding themselves from malware\r\nattacks via telephone, SMS, or emails. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic  Technique ID  Technique Name \r\nInitial Access  T1476  Deliver Malicious App via Other Mean. \r\nInitial Access  T1444  Masquerade as Legitimate Application \r\nDefense Evasion  T1406  Obfuscated Files or Information \r\nCredential Access  T1412  Capture SMS Messages \r\nDiscovery  T1421    System Network Connections Discovery \r\nCommand and Control   T1571  Non-Standard Port  \r\nCommand and Control  T1573  Encrypted Chanel \r\nCollection  T1432  Access Contact List \r\nCollection  T1507  Network Information Discovery \r\nIndicators of Compromise (IOCs) \r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n2cc727c4249235f36bbc5024d5a5cb708c0f6d3659151afc5ae5d42d55212cb5  SHA256\r\nHash of the\r\nanalyzed\r\nAPK file\r\nhttps://blog.cyble.com/2022/05/25/ermac-back-in-action/\r\nPage 9 of 11\n\n301e2ab9707abe193bb627c60f5e4b8736c86fe9  SHA1\r\nHash of the\r\nanalyzed\r\nAPK file \r\n1e0586aef0f106031260fecb412c5cdf  MD5\r\nHash of the\r\nanalyzed\r\nAPK file\r\nhxxp://bolt-food[.]site URL\r\nMalware\r\ndistribution\r\nsite\r\nhxxp://193[.]106.191[.]116 URL\r\nC\u0026C\r\nServer\r\ndf298b0aba5aad2886ae720577557b3e48fba905055dcee0fd74336660bfd0a2 SHA256\r\nHash of the\r\nanalyzed\r\nAPK file\r\ne2fb7981688060fc672f844c65e89d12f3e5cafe SHA1\r\nHash of the\r\nanalyzed\r\nAPK file\r\n1bb6da78e3c379afde1978aecfa067b8 MD5\r\nHash of the\r\nanalyzed\r\nAPK file\r\nhxxp://boltfood[.]site URL\r\nMalware\r\ndistribution\r\nsite\r\ndf298b0aba5aad2886ae720577557b3e48fba905055dcee0fd74336660bfd0a2 SHA256\r\nHash of the\r\nanalyzed\r\nAPK file\r\nfe4a7d079cc00e730412c7a6e0b177829ee58a73 SHA1\r\nHash of the\r\nanalyzed\r\nAPK file\r\n65f634ef24fd686225aa4765fc63fe2b MD5\r\nHash of the\r\nanalyzed\r\nAPK file\r\nhxxp://apkphoto.[co].NZ URL\r\nMalware\r\ndistribution\r\nsite\r\nhttps://blog.cyble.com/2022/05/25/ermac-back-in-action/\r\nPage 10 of 11\n\nhxxp://45[.]141.85[.]25 URL\r\nC\u0026C\r\nServer\r\nSource: https://blog.cyble.com/2022/05/25/ermac-back-in-action/\r\nhttps://blog.cyble.com/2022/05/25/ermac-back-in-action/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.cyble.com/2022/05/25/ermac-back-in-action/"
	],
	"report_names": [
		"ermac-back-in-action"
	],
	"threat_actors": [],
	"ts_created_at": 1775434528,
	"ts_updated_at": 1775791301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/629094af794cc70314e82ae8afcb65339ec6a30d.pdf",
		"text": "https://archive.orkl.eu/629094af794cc70314e82ae8afcb65339ec6a30d.txt",
		"img": "https://archive.orkl.eu/629094af794cc70314e82ae8afcb65339ec6a30d.jpg"
	}
}