{
	"id": "3e332c06-b2a4-4a68-9d3c-897d293346fa",
	"created_at": "2026-04-06T00:09:33.333459Z",
	"updated_at": "2026-04-10T13:12:46.573391Z",
	"deleted_at": null,
	"sha1_hash": "797cb0ee38c30a9d3aa657e632d61e4ca79820d6",
	"title": "ERMAC 2.0: Perfecting the Art of Account Takeover",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 493040,
	"plain_text": "ERMAC 2.0: Perfecting the Art of Account Takeover\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 14:03:02 UTC\r\nAndroid device security has improved dramatically in recent years, motivated by market and competitive forces.\r\nIn part, Android security development teams have accomplished this by focusing on the tools used by malware\r\ndevelopers and mitigating their effectiveness. Malware developers, in response, have had to get creative to achieve\r\ntheir nefarious tasks.\r\nOne example is ERMAC, an Android banking trojan that surfaced in August 2021. Based on the Cerberus banking\r\ntrojan, ERMAC abuses a built-in feature in the Android Accessibility Suite intended for users with disabilities.\r\nThe feature enables actors to accomplish tasks on Android devices that they otherwise could not do. Specifically,\r\nERMAC uses the Accessibility Suite to determine when certain apps are launched and then overwrites the screen\r\ndisplay to steal the user’s credentials. Users are usually infected with ERMAC through fake browser update sites.\r\nOverlay Attacks\r\nCommonly known as an \"Overlay\" or \"Web Injection\" attack, ERMAC targets over 400 banking, financial and\r\necommerce mobile applications – including Amazon, PayPal, and Microsoft - to hijack credentials. Injections are\r\namongst the oldest and most dangerous attacks aimed at applications. In this case, HTML code is injected,\r\nresulting in overwritten apps that fool users.\r\ninject examples\r\nFigure 1: Examples of the phishing pages that ERMAC overlays on top of legitimate applications.\r\nUsers of those apps think they have opened a legitimate app but are presented with illegitimate content from the\r\nmalware. When users enter their credentials, the ERMAC trojan captures them. From the end-user perspective, it\r\nis hard to discern whether anything is different or wrong.\r\nUsers must explicitly grant ERMAC access to the Accessibility Suite to perform the overlay attack. ERMAC\r\ntypically attempts this by asking users to grant access via a pop-up. If access is granted, users unknowingly give\r\nthis set of privileges to the malware.\r\nhttps://intel471.com/blog/rmac-2-0-perfecting-the-art-of-account-takeover\r\nPage 1 of 4\n\nFigure 2: ERMAC generates a window, prompting the user to grant Accessibility privileges.\r\nOnce active, the malware performs actions such as knowing which apps are being launched and redrawing the\r\nscreen while another app is in focus. Further, it gathers and forwards a list of all installed apps to the command-and-control server. In response, the server sends back injection content for other applications.\r\nSubverting Multi-factor Authentication\r\nAccording to Duo Labs (Cisco/Duo Security) State of the Auth report, multi-factor authentication (MFA) has\r\ngained significant adoption, with 79% of respondents using it in 2021. And most end users do feel they have\r\nstrong protection against credential theft and account takeover when using MFA for their online and mobile\r\ntransactions. After all, if your credentials are stolen but MFA is enabled, your data and apps are still safe, right?\r\nWrong! What makes ERMAC so formidable is its ability to get around authentication methods, thus\r\ncircumventing MFA. An ERMAC feature known as Google Authentication Grabber essentially turns ERMAC into\r\nan account takeover tool as it steals Google Authentication tokens. ERMAC can also steal authentication tokens\r\nsent via SMS. So, even if you are doing all the right things – strong passwords and MFA – you are still subject to\r\naccount takeover.\r\nhttps://intel471.com/blog/rmac-2-0-perfecting-the-art-of-account-takeover\r\nPage 2 of 4\n\nFigure 3: Screenshot of ERMAC control panel, showing commands available to the operator.\r\nThe Bigger Picture\r\nIt is easy to become complacent and categorize any malware as a one-off. But a detailed analysis reveals that a\r\nhighly sophisticated e-crime ecosystem supports ERMAC, its developers and users.\r\nAs reported by researchers, the mastermind group promoting the ERMAC malware is DukeEugene, aka Duke\r\nEugene or Eugene. They rent the malware, as a service (MaaS), on underground forums for $5,000 per month,\r\nfacilitate client communications and provide access to the malware control panel. DukeEugene has history and\r\nexpertise in this area, claiming to be the 2020 author of the BlackRock Android banking trojan. That trojan also\r\nused the MaaS model.\r\nThe online forums serving as a marketplace for selling ERMAC and other MaaS offerings are hosted by\r\n\"bulletproof posting (BPH) services,\" which provide infrastructure and hosting services to criminal actors. These\r\nBPHs offer the basic building blocks for illicit command and control servers and services. BPH providers\r\nadvertise specific services but often provide support beyond what they tout on the underground forums.\r\nhttps://intel471.com/blog/rmac-2-0-perfecting-the-art-of-account-takeover\r\nPage 3 of 4\n\nOne of the world’s “top tier” bulletproof hosting providers, actor Yalishanda is associated with ERMAC. Intel\r\n471’s research revealed that some bot configurations, designed for ERMAC to connect to command and control\r\nservers, lead to Yalishanda's bulletproof hosting infrastructure. Yalishanda has been active for years, reportedly\r\nmoving between China and Russia. His methods and longevity underscore that this high level of e-crime\r\nsophistication is not going away.\r\nERMAC will likely continue to undergo feature enhancements just like any other app. But it is essential to realize\r\nthis is not just another clever, creative piece of malware; it is malware supported by a sophisticated criminal group\r\nwith expertise, longevity and infrastructure. Android users who rely on banking, financial and ecommerce apps\r\nmust thus remain vigilant and aware of this persistent threat.\r\nSource: https://intel471.com/blog/rmac-2-0-perfecting-the-art-of-account-takeover\r\nhttps://intel471.com/blog/rmac-2-0-perfecting-the-art-of-account-takeover\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://intel471.com/blog/rmac-2-0-perfecting-the-art-of-account-takeover"
	],
	"report_names": [
		"rmac-2-0-perfecting-the-art-of-account-takeover"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434173,
	"ts_updated_at": 1775826766,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/797cb0ee38c30a9d3aa657e632d61e4ca79820d6.pdf",
		"text": "https://archive.orkl.eu/797cb0ee38c30a9d3aa657e632d61e4ca79820d6.txt",
		"img": "https://archive.orkl.eu/797cb0ee38c30a9d3aa657e632d61e4ca79820d6.jpg"
	}
}