Hook: a new Ermac fork with RAT capabilities Published: 2024-10-01 · Archived: 2026-04-05 14:35:15 UTC Introduction The joint police operation that brought down the Cabassous network infrastructure in May 2022, together with the slow but steady disappearance of Anatsa from the threat landscape, left an open space in the Android banking malware market. This space was filled initially by Hydra, and in minor part by the latest variants of ExobotCompact (also known as Octo). These two malware families stood out from the rest due to their advanced features, specifically the ability to perform Device Take-Over (DTO), by being able to remotely view and interact with the screen of the infected device. In terms of volume, ThreatFabric observed only one other family which was comparable to these two: Ermac. Discovered in September 2021 by our researchers, this malware family is a spawn from the infamous Android Banker Cerberus. Among the three, Hydra is by far the most spread, and has been the Android banker of choice for threat actors ever since the takedown of Cabassous in May 2022. However, the other two malware families have kept their numbers quite high, with ExobotCompact/Octo being slightly lower due to its distribution mechanism of choice, dropper applications on Google Play Store, which usually creates less builds, but produce more infections per malicious sample. Ermac has been publicly rented by its actor DukeEugene for roughly one year and a half, with multiple actors being associated with the operations we had been observing. In March 2022, the actors behind this malware family tried to sell the botnet code on different hacking forums: from this point onwards, we started observing a rise in quantity of samples from Ermac, together with the appearance of different names and actors rebranding the bot and trying to rent it. In this sphere of Ermac forks, ThreatFabric identified botnets such as MetaDroid and OWL, created from the Ermac source code and presenting minor differences. In the case of MetaDroid for example, the author removed the Locale check which was in place to ensure that the bot would not operate on devices from CIS countries. https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 1 of 35 In both cases, we did not observe any major difference in implementation or operations from the original Ermac samples to warrant the creation of a new malware variant. Recently however, we encountered a new fork, which spiked our interest. This new malware variant, clearly based on Ermac, introduced the capability to manipulate files on the devices file system, as well as create a remote session able to interact with the System’s UI. Based on the malware’s panel, we named this malware variant Hook. Initially, while performing our analysis and investigations, this malware looked like another fork of the original Ermac, once again spawned from the sale of the original source code. However, on the 12th of January, the original actor of Ermac, DukeEugene, published a post advertising a brand new banking malware, called “Hook”. https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 2 of 35 From this thread, we can confidently say that Hook is the latest development of Ermac, and is developed and managed by its original author, DukeEugene. A malware created “from scratch” The malware is advertised as “written from scratch”. This is debatable, as the majority of the code base remains the one from Ermac, including some commands in Russian expressing an unnecessary angst towards the world, which in our opinion would have not made the cut if a proper revision of the code had taken place. It is true that this malware variant introduces quite a lot of modifications compared to its predecessor, but it is fairly obvious that this is just an update and improvement of the previous versions of Ermac. It is likely that the criminals, taking an https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 3 of 35 approach which is is very effective in marketing strategies, decided to start a new brand with their latest product, instead of maintaining th existing one, which was associated mostly with operations regarding cryptowallets and Personal Identifiable Information (PII) exfiltration. In the following section we will cover the improvements added in Hook. If you want to find out the main features of Ermac, please refer to our previous blog about this family. WebSocket communication Hook uses the same encryption mechanisms used by Ermac in its communication with the C2 Server. The data is encrypted using AES-256-CBC with an hardcoded key, and then encoded in Base64. One modification that was done with this new malware variant, was the introduction of WebSocket communication in addition to the HTTP traffic used in the previous Ermac variants. The implementation relies on Socket.IO, which is an implementation over HTTP and WebSocket which enables real-time, bi-directional communication between web clients and servers. After the malware is installed and successfully setup, the bot tries to contact its C2 server using normal HTTP traffic. The request triggers a response from the C2 in the following form { "sid": "", "upgrades": ["websocket"], "pingInterval": 20000, "pingTimeout": 60000 } This response triggers an upgrade to WebSocket traffic, which is how the bot communicates with its C2. If the value of “upgrades” is instead “polling”, the communication will be over HTTP. Over this channel, the bot registers with its server, sends the list of applications installed on the device and downloads the list of targets. https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 4 of 35 The communication protocol remains the same as it was in previous versions, with periodic requests for commands sent by the bot and updates on the latest logs collected from the malware. The server uses this channel to issue commands, still encrypted and encoded, in the form: 42["commands", ""] Where 42 is a constant value based on Socket.IO protocol, with 4 being Engine.IO “message” packet type, and 2 being Socket.IO “message” packet type. Addition of RAT capabilties The most important addition in terms of capabilities comes in the form of what criminals call VNC. Virtual Network Computing (VNC) is a specific implementation of a screen sharing application that provides remote control over the device. However, threat actors have started using this term to indicate any sort of Remote Access Tool (RAT) feature. In the case of Hook, this is implemented using the Accessibility Services to interact with the different UI elements required to perform a wide array of operations. https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 5 of 35 With this feature, Hook joins the ranks of malware families that are able to perform full DTO, and complete a full fraud chain, from PII exfiltration to transaction, with all the intermediate steps, without the need of additional channels. This kind of operation is much harder to detect by fraud scoring engines, and is the main selling point for Android bankers. The malware is capable of performing a wide array of operations on the device, from simulating clicks, to filling text boxes, and performing gestures. Here is reported the list of new commands related to the RAT features (in the Appendix you can find the full list, including the commands inherited from the previous versions of Ermac): Command Description start_vnc/stop_vnc start/stop RAT swipeup/swipedown/swipeleft/swiperight/swipe perform a specific swipe gesture takescreenshot takes a screenshot clickatcontaintext simulates click at specific text item onkeyevent simulates a key press (HOME/BACK/RECENTS/LOCK/POWERDIALOG) unlock unlocks device scrollup/scrolldown scrolls up/down longpress simulates a long press event clickat simulates click at a specific coordinate cuttext set clipboard value to a a UI element with specific coordinates value clickattext simulates click at a UI element with specific text value settext sets a UI element value to a specific text https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 6 of 35 File manager When the Server issues the “fmmanager” command, together with a specific parameter, the bot turns into a file manager for the actor, similarly in behavior to what we have previously observed in spyware. Based on the parameter received, the malware either sends back to the server the full list of the files available on the device, or downloads a specific file from the file system: Parameter Description ls Obtains the list of files on the device dl Downloads a specific file To do so, the malware does not need to perform any specific shell command, but simply uses the available APIs from the Android Operating system, thanks to the permissions that the malware is able to grant itself on startup via Accessibility Services. Another similar command is “getimages”, which allows the bot to view all the images on the device. With this command, the actor can identify if an image is of interest, and then use the “downloadimage” command to download it from the Bot Panel. Other modifications and improvements Finally, the authors added some additional commands to expand or improve the functionalities already existing in the previous versions of Ermac. It is worth noting that the second variant of Ermac, which surfaced in 2021, added the capability to extract seed phrases from wallets for cryptocurrencies using attacks similar to ATS (Automated Transfer System). These attacks interact with the UI, navigating the different application screens and logging the seed phrases, which are secret series of words used to retrieve the account’s credentials in case they are lost or forgotten. In this new variant, the author added one more wallet to the list (in bold the latest additions): Command Package Name - App Name bitcoincom com.bitcoin.mwallet - Bitcoin Wallet trust com.wallet.crypto.trustapp - Trust: Crypto & Bitcoin Wallet mycelium com.mycelium.wallet - Mycelium Bitcoin Wallet piuk piuk.blockchain.android - Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum samourai com.samourai.wallet - Samourai Wallet toshi org.toshi - Coinbase Wallet: Crypto Wallet & DApp Browser metamask io.metamask - MetaMask: Buy, Send and Swap Crypto safepal io.safepal.wallet - SafePal: Crypto wallet BTC NFTs Blurring the line In our previous article we discussed SpyNote and its latest developments, bringing it closer to banking malware. On the opposite side of the spectrum lies Hook, which now is crossing the line that separates spyware and banking malware in the other direction. https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 7 of 35 One last interesting addition is the “openwhatsapp” command, used to open the social messaging application WhatsApp, and allows the malware to log and even send messages via this application. Utilizing the same Accessibility Services techniques used to interact with cryptocurrency wallets, Hook, upon receiving the “openwhatsapp” command, starts the social messaging application WhatsApp. From here the malware can proceed to extract via logging all the messages present, but also send a brand new message. This technique could be used by actors to spread the malware to other victims, via a channel that is regarded as less threatening by users. In addition to this capability, this new Ermac variant also adds geolocation tracking, allowing criminals to receive the coordinates of the victim whenever needed. if (Utils.checkPermission(this.ctx, "android.permission.ACCESS_FINE_LOCATION") != 0 && Utils.checkPermission(this.ctx, "a this.b(); return; } Object object0 = this.ctx.getSystemService("location"); if (object0 != null) { LocationManager locationManager0 = (LocationManager) object0; String s = locationManager0.getBestProvider(new Criteria(), false); NonNullUtils.c(s); Location location0 = locationManager0.getLastKnownLocation("passive"); this.sendLocation(location0);... } These new features move this malware family in a sphere where the difference between spyware and banking malware is always more blurred and less evident. Targets As for previous versions of Ermac, the target list is very extensive, and includes institutions from all over the world. The actor promises more than hundreds of targets to his buyers, which are made up for the large majority by the targets also present in previous versions of Ermac. However, this new version also adds dozens of new targets, including both financial applications as well as social apps. New targets also include bans from south America, Asia, Africa, and the Middle East. Here you can see a recap of the areas mostly targeted by Hook: https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 8 of 35 Here we reported the top 10 countries ranked by number of targeted institutions. However, it is worth noting that the list is very extensive, and multiple other countries have just slightly lower numbers, as it can be seen in the full target list in the Appendix of this article. Conclusions The new developments around Hook, the latest variant of the Ermac family, point towards a clear direction. Hook now joins the very dangerous ranks of malware which is able to perform a full attack chain from infection to fraudulent transaction. In addition, it includes new capabilities typical of spyware, which allow criminals to track and spy on the device, gaining full visibility not only on the banking details of the victim, but also messaging, geolocation, and control over files present on the phone. As discussed, Ermac has been one of the most distributed malware families of 2022, and with the introduction of its latest development, Hook, ThreatFabric expects it to make the final quality leap, joining Hydra and ExobotCompact/Octo in the podium of Android Bankers available for rent. Financial organizations are welcome to contact us: if you suspect some app be involved in malicious activity, feel free to reach our Mobile Threat Intelligence team which will provide additional details and help with reporting the malicious app if identified: mti@threatfabric.com. Fraud Risk Suite ThreatFabric’s Fraud Risk Suite enables safe & frictionless online customer journeys by integrating industry-leading mobile threat intel, behavioral analytics, advanced device fingerprinting and over 10.000 adaptive fraud indicators. This will give you and your customers peace of mind in an age of ever-changing fraud. Appendix Hook Samples https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 9 of 35 App name Package name SHA-256 Google Chrome com.lojibiwawajinu.guna c5996e7a701f1154b48f962d01d457f9b7e95d9c3dd9bbd6a8e083865d563622 Google Chrome com.damariwonomiwi.docebi 55533397f32e960bdc78d74f76c3b62b57f881c4554dff01e7f9e077653f47b2 Google Chrome com.damariwonomiwi.docebi 768b561d0a9fa3c6078b3199b1ef42272cac6a47ba01999c1f67c9b548a0bc15 GoogleChrome com.yecomevusaso.pisifo 8d1aabfb6329bf6c03c97f86c690e95723748be9d03ec2ed117376dd9e13faf0 Hook Full command list Command (in bold if introduced in Hook) Description push Shows a push notification (clicking on the notification will result in launching specified app) startAuthenticator2 Launches the Google Authenticator application startAdmin Triggers request for admin privileges startApp Starts the specified application getInstallApps Gets the list of applications installed on the device getContacts Gets the contact names and phone numbers from the address book of the infected device deleteApplication Triggers the removal of the specified application forwardCall Enables call forwarding to the specified number sendSms Sends a text message with specified text from the infected device to the specified phone number SendSMSALL Sends text messages with specified text from the infected device to all contacts of the infected device startInject Triggers the overlay attack against the specified application startUssd Executes the specified USSD code openUrl Opens the specified URL in the WebView getSMS Gets all text messages from the infected device killMe Triggers the kill switch for the bot updateModule Updates the payload module updateInjectAndListApps Triggers update of the target list clearCash/clearCashe Triggers opening specified application details https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 10 of 35 Command (in bold if introduced in Hook) Description getAccounts/logAccounts Triggers stealing a list of the accounts on the device bitcoincom com.bitcoin.mwallet - Bitcoin Wallet trust com.wallet.crypto.trustapp - Trust: Crypto & Bitcoin Wallet mycelium com.mycelium.wallet - Mycelium Bitcoin Wallet piuk piuk.blockchain.android - Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum samourai com.samourai.wallet - Samourai Wallet toshi org.toshi - Coinbase Wallet: Crypto Wallet & DApp Browser metamask io.metamask - MetaMask: Buy, Send and Swap Crypto start_vnc/stop_vnc Start/stop RAT getlocation Obtains geolocation addwaitview/removewaitview Adds/removes a view used to cover malicious operations addview/removeview Adds/removes a view getimages Obtains list of all images downloadimage Downloads an image makecall Makes a call calling Makes a call addcontact Adds a contact fmmanager Operates as file manager swipeup/swipedown/swipeleft/swiperight/swipe Perform a specific swipe gesture takescreenshot Takes a screenshot clickatcontaintext Simulates click at specific text item onkeyevent Simulates a key press (HOME/BACK/RECENTS/LOCK/POWERDIALOG) unlock Unlocks device scrollup/scrolldown Scrolls up/down longpress Simulates a long press event clickat Simulates click at a specific coordinate cuttext Set clipboard value to a a UI element with specific coordinates value https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 11 of 35 Command (in bold if introduced in Hook) Description clickattext Simulates click at a UI element with specific text value settext Sets a UI element value to a specific text safepal io.safepal.wallet - SafePal: Crypto wallet BTC NFTs Hook C2s Host 5.42.199[.]22 193.233.196[.]2 Hook Crypto-Wallet targets Package Name App Name com.bitcoin.mwallet Bitcoin Wallet com.wallet.crypto.trustapp Trust: Crypto & Bitcoin Wallet com.mycelium.wallet Mycelium Bitcoin Wallet piuk.blockchain.android Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum com.samourai.wallet Samourai Wallet org.toshi Coinbase Wallet — Crypto Wallet & DApp Browser io.safepal.wallet SafePal - Crypto wallet BTC NFTs io.metamask MetaMask - Buy, Send and Swap Crypto Hook Banking Targets Package Name App Name com.connectivityapps.hotmail Connect for Hotmail & Outlook: Mail and Calendar com.Plus500 Plus500: CFD Online Trading on Forex and Stocks com.eofinance EO.Finance: Buy and Sell Bitcoin. Crypto Wallet ar.com.santander.rio.mbanking Santander Argentina ar.com.redlink.custom Banca Móvil Ciudad org.microemu.android.model.common.VTUserApplicationLINKMB Link Celular https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 12 of 35 Package Name App Name ar.bapro BIP Mobile coop.bancocredicoop.bancamobile Credicoop Móvil ar.macro Macro com.mercadopago.wallet Mercado Pago com.tarjetanaranja.emisor.serviciosClientes.appTitulares Naranja au.com.ingdirect.android ING Australia Banking au.com.macquarie.authenticator Macquarie Authenticator au.com.macquarie.banking Macquarie Mobile Banking au.com.mebank.banking ME Bank au.com.nab.mobile NAB Mobile Banking au.com.newcastlepermanent NPBS Mobile Banking au.com.pnbank.android P&N BANKING APP au.com.rams.RAMS myRAMS au.com.suncorp.marketplace Suncorp App au.com.suncorp.rsa.suncorpsecured Suncorp Secured au.com.suncorp.SuncorpBank Suncorp Bank au.com.ubank.internetbanking UBank Mobile Banking com.bendigobank.mobile Bendigo Bank com.fusion.ATMLocator People’s Choice Credit Union com.fusion.banking Bank Australia app com.fusion.beyondbank Beyond Bank Australia com.bankofqueensland.boq BOQ Mobile org.bom.bank Bank of Melbourne Mobile Banking org.stgeorge.bank St.George Mobile Banking org.westpac.bank Westpac Mobile Banking org.westpac.col Westpac Corporate Mobile com.BOQSecure BOQ Secure com.commbank.netbank CommBank au.com.amp.myportfolio.android My AMP https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 13 of 35 Package Name App Name au.com.bankwest.mobile Bankwest au.com.commbank.commbiz.prod CommBiz au.com.cua.mb CUA Mobile Banking au.com.hsbc.hsbcaustralia HSBC Australia com.greater.Greater Greater Bank com.appfactory.tmb Teachers Mutual Bank com.anz.android.gomoney ANZ Australia org.banking.bom.businessconnect Bank of Melbourne Business App org.banking.bsa.businessconnect BankSA Business App org.banking.stg.businessconnect St.George Business App org.banksa.bank BankSA Mobile Banking com.google.android.apps.walletnfcrel Google Pay: Pay with your phone and send cash com.easybank.easybank easybank App com.bawagpsk.bawagpsk BAWAG PSK klar – Mobile Banking App at.rsg.pfp Mein ELBA-App at.ing.diba.client.onlinebanking ING Banking Austria at.volksbank.volksbankmobile Volksbank hausbanking at.erstebank.george George Österreich com.bankaustria.android.olb Bank Austria MobileBanking com.isis_papyrus.raiffeisen_pay_eyewdg Raiffeisen ELBA com.isis_papyrus.hypo_pay_eyewdg HYPO Mein ELBA-App com.electroneum.mobile Electroneum com.scotiabank.banking Scotiabank Mobile Banking be.argenta.bankieren Argenta Banking com.bnpp.easybanking Easy Banking App be.axa.mobilebanking Mobile Banking Service be.belfius.directmobile.android Belfius Mobile com.kbc.mobile.android.phone.kbc KBC Mobile com.imo.android.imoimbeta imo beta free calls and text https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 14 of 35 Package Name App Name com.fortuneo.android Fortuneo, mes comptes banque & bourse en ligne com.wrx.wazirx WazirX - Buy Sell Bitcoin & Other Cryptocurrencies com.airbnb.android Airbnb com.whatsapp WhatsApp Messenger com.bradesco Bradesco com.itau Banco Itaú: Gerencie sua conta pelo celular com.itau.empresas Itaú Empresas: Controle e Gestão do seu Negócio br.com.intermedium Inter: conta digital completa br.com.original.bank Banco Original br.com.uol.ps.myaccount PagBank: Banco, Conta digital, Cartão, Pix, CDB exodusmovement.exodus Exodus: Crypto Bitcoin Wallet com.enjin.mobile.wallet Enjin: Bitcoin, Ethereum, Blockchain Crypto Wallet io.metamask MetaMask - Buy, Send and Swap Crypto id.co.bitcoin Indodax com.snapchat.android Snapchat com.anabatic.canadia Canadia Mobile Banking com.desjardins.mobile Desjardins mobile services com.pcfinancial.mobile Simplii Financial com.vancity.mobileapp Vancity com.meridian.android Meridian Mobile Banking com.rbc.mobile.android RBC Mobile ca.tangerine.clients.banking.app Tangerine Mobile Banking ca.servus.mbanking Servus Mobile Banking ca.pcfinancial.bank PC Financial Mobile ca.motusbank.mapp motusbank mobile banking com.td TD Canada https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 15 of 35 Package Name App Name com.atb.ATBMobile ATB Personal - Mobile Banking com.atb.businessmobile ATB Business - Mobile Banking ca.manulife.MobileGBRS Manulife Mobile ca.hsbc.hsbccanada HSBC Canada ca.bnc.android National Bank of Canada ca.affinitycu.mobile Affinity Mobile com.cibc.android.mobi CIBC Mobile Banking® com.bmo.mobile BMO Mobile Banking com.shaketh Shakepay: Buy Bitcoin Canada com.coastcapitalsavings.dcu Coast Capital Savings com.squareup.cash Cash App com.bmoharris.digital BMO Digital Banking pro.huobi Huobi Global com.google.android.gm Gmail cl.bancochile.mbanking Mi Banco de Chile cl.android Banco Falabella - CMR com.tencent.mm WeChat com.okinc.okcoin.intl Okcoin - Buy & Trade Bitcoin, Ethereum, & Crypto com.moneybookers.skrillpayments.neteller NETELLER - fast, secure and global money transfers com.mtel.androidbea BEA 東亞銀行 com.ocbc.mobile OCBC SG Mobile Banking com.polehin.android Bitcoin Wallet - Buy BTC cc.bitbank.bitbank bitbank - Bitcoin & Ripple Wallet com.grupoavalav1.bancamovil AV Villas App com.grupoavaloc1.bancamovil Banco de Occidente Móvil com.todo1.davivienda.mobileapp Davivienda Móvil co.com.bbva.mb BBVA Colombia com.bancodebogota.bancamovil Banco de Bogotá https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 16 of 35 Package Name App Name eu.netinfo.colpatria.system Scotiabank Colpatria com.todo1.mobile Bancolombia App Personas com.tinder Tinder com.aadhk.woinvoice Invoice Maker: Estimate & Invoice App org.telegram.messenger Telegram gr.winbank.mobile.cyprus AstroBank Mobile Banking eu.inmite.prj.kb.mobilbank Mobilni Banka cz.csob.smartbanking ČSOB Smartbanking dk.nordea.mobilebank Nordea Mobile - Denmark com.danskebank.mobilebank3.dk NY mobilbank DK - Danske Bank com.imo.android.imoimhd imo HD-Free Video Calls and Chats com.azimo.sendmoney Azimo Money Transfer com.baninter Banca Móvil com.twitter.android.lite Twitter Lite fr.oney.mobile.mescomptes Oney France net.bnpparibas.mescomptes Mes Comptes BNP Paribas com.arkea.android.application.cmb Crédit Mutuel de Bretagne com.arkea.android.application.cmso2 CMSO ma banque : solde, virement & épargne com.axabanque.fr AXA Banque France mobi.societegenerale.mobile.lappli L’Appli Société Générale com.beobank_prod.bad Beobank Mobile com.boursorama.android.clients Boursorama Banque com.caisseepargne.android.mobilebanking Banque com.caisse.epargne.android.tablette Banque pour tablettes Android com.cic_prod.bad CIC com.cm_prod.bad Crédit Mutuel com.fullsix.android.labanquepostale.accountaccess La Banque Postale com.gemini.android.app Gemini: Buy Bitcoin Instantly fr.lcl.android.entreprise Pro & Entreprises LCL https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 17 of 35 Package Name App Name fr.lcl.android.customerarea Mes Comptes - LCL fr.laposte.lapostemobile La Poste - Services Postaux fr.hsbc.hsbcfrance HSBC France fr.creditagricole.androidapp Ma Banque fr.bred.fr BRED fr.bnpp.digitalbanking Hello bank! par BNP Paribas fr.banquepopulaire.cyberplus Banque Populaire com.IngDirectAndroid ING France com.mootwin.natixis My Savings com.ocito.cdn.activity.banquelaydernier Banque Laydernier - Mobile com.ocito.cdn.activity.creditdunord Crédit du Nord pour Mobile ge.mobility.basisbank BasisBank com.vtb.mobilebank VTB Mobile Georgia ge.bog.mobilebank BOG mBank - Mobile Banking ge.lb.mobilebank Liberty com.icomvision.bsc.tbc TBC Bank com.targo_prod.bad TARGOBANK Mobile Banking de.sdvrz.ihb.mobile.secureapp.sparda.produktion SpardaSecureApp de.traktorpool tractorpool de.comdirect.android comdirect mobile App de.fiducia.smartphone.android.banking.vr VR Banking Classic com.starfinanz.smob.android.sfinanzstatus Sparkasse Ihre mobile Filiale de.dkb.portalapp DKB-Banking de.postbank.finanzassistent Postbank Finanzassistent de.santander.presentation Santander Banking de.consorsbank Consorsbank de.number26.android N26 — The Mobile Bank de.mobile.android.app mobile.de – Germany‘s largest car market de.commerzbanking.mobil Commerzbank Banking - The app at your side https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 18 of 35 Package Name App Name com.db.mm.norisbank norisbank App de.ingdiba.bankingapp ING Banking to go eu.unicreditgroup.hvbapptan HVB Mobile Banking de.comdirect.app comdirect de.sdvrz.ihb.mobile.app SpardaApp com.db.pwcc.dbmobile Deutsche Bank Mobile de.adesso_mobile.secureapp.netbank SecureApp netbank com.mobileloft.alpha.droid myAlpha Mobile eu.afse.omnia.attica Attica Mobile mbanking.NBG NBG Mobile Banking gr.winbank.mobilenext Winbank Mobile com.paypal.android.p2pmobile PayPal Mobile Cash: Send and Request Money Fast gt.com.bi.bienlinea Bi en Línea global.bithumb.android BitGlobal (formerly Bithumb Global) com.tronlinkpro.wallet TronLink Pro - The Best TRON Wallet com.bochk.com BOCHK hu.otpbank.mobile OTP Bank HU pegasus.project.ebh.mobile.android.bundle.mobilebank George Magyarország hu.khb K&H mobilbank hu.cardinal.erste.mobilapp Erste Business MobilBank hu.cardinal.cib.mobilapp CIB Business Online hu.bb.mobilapp Budapest Bank Mobil App hr.asseco.android.jimba.mUCI.hu UniCredit Mobile Application hr.asseco.android.intesa.isbd.cib CIB Bank com.aff.otpdirekt OTP SmartBank hu.mkb.mobilapp MKB Mobilalkalmazás com.tideplatform.banking Tide - Smart Mobile Banking lt.spectrofinance.spectrocoin.android.wallet Bitcoin Wallet by SpectroCoin https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 19 of 35 Package Name App Name com.sbi.lotusintouch YONO SBI: The Mobile Banking and Lifestyle App! com.fss.indus IndusMobile com.Version1 PNB ONE com.atomyes YES BANK com.axis.mobile Axis Mobile- Fund Transfer,UPI,Recharge & Payment com.msf.kbank.mobile Kotak - 811 & Mobile Banking com.sbi.SBIFreedomPlus Yono Lite SBI - Mobile Banking com.oxigen.oxigenwallet Bill Payment & Recharge,Wallet com.dhanlaxmi.dhansmart.mtc Dhanlaxmi Bank Mobile Banking com.mobikwik_new BHIM UPI, Money Transfer, Recharge & Bill Payment com.dbs.in.digitalbank digibank by DBS India com.infrasofttech.CentralBank Cent Mobile com.unocoin.unocoinwallet Unocoin Wallet com.snapwork.hdfc HDFC Bank MobileBanking com.snapwork.IDBI IDBI Bank GO Mobile+ com.infrasoft.uboi U-Mobile - Union Bank of India com.infrasofttech.MahaBank Maha Mobile com.sbi.SBAnywhereCorporate SBI Anywhere Corporate src.com.bni BNI Mobile Banking com.bca BCA mobile ovo.id OVO id.dana DANA Indonesia Digital Wallet piuk.blockchain.android Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum com.payeer PAYEER com.nearform.ptsb permanent tsb com.bitcoin.mwallet Bitcoin Wallet com.coinbase.android Coinbase – Buy & Sell Bitcoin. Crypto Wallet https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 20 of 35 Package Name App Name com.plunien.poloniex Poloniex Crypto Exchange מזרחי טפחות - ניהול חשבון nh.MizrahiTefahot.com בנק הפועלים - ניהול החשבון hapoalim.ideomobile.com il.co.yellow.app מבצעים והטבות עם הארנק הדיגיטלי של – yellow !פז com.leumi.leumiwallet לאומי בנק יהב - ניהול חשבון mobbanking.yahav.co.il com.bnhp.payments.paymentsapp bit ביט com.ideomobile.discount Discount Bank com.sella.BancaSella Banca Sella com.unicredit Mobile Banking UniCredit com.CredemMobile Credem com.db.pbc.miabanca La Mia Banca it.ingdirect.app ING Italia it.nogood.container UBI Banca it.phoenixspa.inbank Inbank it.popso.SCRIGNOapp SCRIGNOapp posteitaliane.posteapp.appbpol BancoPosta it.relaxbanking RelaxBanking Mobile posteitaliane.posteapp.apppostepay Postepay com.latuabancaperandroid Intesa Sanpaolo Mobile com.lynxspa.bancopopolare YouApp com.mediolanum.android.fullbanca Mediolanum com.vipera.chebanca CheBanca! it.hype.app Hype it.creval.bancaperta Bancaperta it.copergmps.rt.pf.android.sp.bmps Banca MPS it.carige Carige Mobile it.caitalia.apphub Crédit Agricole Italia https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 21 of 35 Package Name App Name it.bnl.apps.banking BNL it.bcc.iccrea.mycartabcc myCartaBCC it.icbpi.mobile Nexi Pay co.edgesecure.app Edge - Bitcoin, Ethereum, Monero, Ripple Wallet jp.coincheck.android Bitcoin Wallet Coincheck jp.co.smbc.direct 三井住友銀行アプリ jp.co.rakuten_bank.rakutenbank 楽天銀行 -個人のお客様向けアプリ com.gmowallet.mobilewallet ビットコイン・暗号資産(仮想通貨)ウォ レットアプリ GMOコイン|チャート・購 入・レバレッジ取引 jp.co.netbk 住信SBIネット銀行 jp.co.aeonbank.android.passbook イオン銀行通帳アプリ かんたんログイン& 残高・明細の確認 com.quoine.quoinex.light Liquid by Quoineライト版(リキッドバイコ イン) -ビットコインなどの仮想通貨取引 所 com.barclays.ke.mobile.android.ui Barclays Kenya eu.eleader.mobilebanking.nbk NBK Mobile Banking com.cbk.mobilebanking CBK Mobile eu.eleader.mobilebanking.abk ABK Mobile Banking com.a2a.android.burgan Burgan Bank eu.eleader.mobilebanking.kib KIB Mobile com.netflix.mediaclient Netflix pt.bigonline.BiGMobile Banco BiG Portugal com.twitter.android Twitter io.ethos.universalwallet Ethos Universal Wallet com.konylabs.HongLeongConnect Hong Leong Connect Mobile Banking com.ambank.ambankonline AmOnline com.cimbmalaysia CIMB Clicks Malaysia com.iexceed.CBS GO by Bank Islam https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 22 of 35 Package Name App Name air.app.scb.breeze.android.main.my.prod Standard Chartered Mobile (MY) my.com.maybank2u.m2umobile Maybank2u MY my.com.hsbc.hsbcmalaysia HSBC Malaysia my.com.hongleongconnect.mobileconnect HLB Connect Mobile Banking App com.alliance.AOPMobileApp allianceonline Mobile com.bsnebiz.cdb BSNeBiz Mobile- Corporate User com.citibank.CitibankMY Citibank MY com.ocbc.mobilemy OCBC Malaysia Mobile Banking com.engage.pbb.pbengage2my.release PB engage MY com.paxful.wallet Paxful Bitcoin Wallet com.bbva.GEMA BBVA Empresas México com.citibanamex.banamexmobile Citibanamex Móvil net.garagecoders.e_llavescotiainfo ScotiaMóvil com.bancomer.mbanking BBVA México (Bancomer Móvil) mx.bancosantander.supermovil Santander móvil mx.hsbc.hsbcmexico HSBC México com.mercadolibre Mercado Libre: compra fácil y rápido com.bitfinex.mobileapp Bitfinex com.ebay.mobile eBay: Buy, sell, and save money on home essentials com.moneybookers.skrillpayments Skrill - Fast, secure online payments br.com.bradesco.next Banco next: conta e cartão de crédito grátis ma.gbp.pocketbank Pocket Bank com.bitpay.wallet BitPay – Secure Bitcoin Wallet com.ing.mobile ING Bankieren com.ics.nl.icscards ICS Creditcard com.abnamro.nl.mobile.payments ABN AMRO Mobiel Bankieren nz.co.westpac Westpac One (NZ) Mobile Banking nz.co.anz.android.mobilebanking ANZ goMoney New Zealand https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 23 of 35 Package Name App Name nz.co.asb.asbmobile ASB Mobile Banking tsb.mobilebanking TSB Bank Mobile Banking nz.co.kiwibank.mobile Kiwibank Mobile Banking enterprise.com.anz.shield ANZ Shield co.zip Zip - Shop Now, Pay Later com.whatsapp.w4b WhatsApp Business com.interswitchng.www Fidelity Online Banking com.vanso.gtbankapp GTBank com.payoneer.android Payoneer – Global Payments Platform for Businesses com.google.android.youtube YouTube com.instagram.android Instagram com.binance.dev Binance - Buy & Sell Bitcoin Securely com.base.bankalfalah αlfα com.wavesplatform.wallet Waves.Exchange doge.org.freewallet.app Dogecoin Wallet. Store & Exchange DOGE coin com.lumiwallet.android Lumi Crypto and Bitcoin Wallet com.samourai.wallet Samourai Wallet net.bitbay.bitcoin Bitcoin & Crypto Exchange - BitBay com.changelly.app Changelly: Buy Bitcoin BTC & Fast Crypto Exchange com.bbva.nxt_peru BBVA Perú pe.pichincha.bm APP Banco Pichincha Perú pe.com.interbank.mobilebanking Interbank APP pe.com.scotiabank.blpm.android.client Scotiabank Perú com.bcp.bank.bcp Banca Móvil BCP com.zoluxiones.officebanking Banco Santander Perú S.A. com.CIMB.OctoPH CIMB Bank PH net.bitstamp.app Bitstamp – Buy & Sell Bitcoin at Crypto Exchange https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 24 of 35 Package Name App Name eu.eleader.mobilebanking.pekao.firm PekaoBiznes24 alior.bankingapp.android Usługi Bankowe com.bitmarket.trader Aplikacja Bitmarket com.comarch.mobile.banking.bgzbnpparibas.biznes Mobile BiznesPl@net com.comarch.security.mobilebanking ING Business com.empik.empikapp Empik com.empik.empikfoto Empik Foto com.getingroup.mobilebanking Getin Mobile com.konylabs.cbplpat Citi Handlowy eu.eleader.mobilebanking.invest plusbank24 eu.eleader.mobilebanking.pekao Pekao24Makler hr.asseco.android.mtoken.bos iBOSStoken pl.aliorbank.aib Alior Mobile pl.allegro Allegro - convenient and secure online shopping pl.bph BusinessPro Lite pl.bps.bankowoscmobilna BPS Mobilnie pl.bzwbk.bzwbk24 Santander mobile pl.bzwbk.ibiznes24 iBiznes24 mobile pl.ceneo Ceneo - zakupy i promocje pl.com.rossmann.centauros Rossmann PL pl.envelobank.aplikacja Pocztowy pl.eurobank2 eurobank mobile 2.0 pl.fakturownia Fakturownia.pl pl.ideabank.mobilebanking Idea Bank PL pl.ifirma.ifirmafaktury IFIRMA - Darmowy Program do Faktur pl.ing.mojeing Moje ING mobile pl.mbank mBank PL pl.millennium.corpApp Bank Millennium for Companies https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 25 of 35 Package Name App Name pl.nestbank.nestbank Nest Bank nowy pl.noblebank.mobile Noble Mobile pl.orange.mojeorange Mój Orange pl.pkobp.iko IKO pl.pkobp.ipkobiznes iPKO biznes pl.raiffeisen.nfc Mobilny Portfel softax.pekao.powerpay PeoPay wit.android.bcpBankingApp.millenniumPL Bank Millennium pt.bancobpi.mobile.fiabilizacao BPI APP pt.bctt.appbctt Banco CTT app.wizink.pt Wizink, o teu banco fácil com.bbva.mobile.pt BBVA Portugal pt.santander.oneappparticulares Santander Portugal pt.oney.oneyapp Oney Portugal eu.atlantico.bancoatlanticoapp MY ATLANTICO pt.novobanco.nbsmarter NB smarter com.abanca.bm.pt ABANCA - Portugal pt.santandertotta.mobileempresas Santander Empresas pt.novobanco.nbapp NB smart app pt.eurobic.apps.mobilebanking EuroBic Mobile App pt.santandertotta.mobileparticulares Santander Particulares com.bankinter.portugal.bmb Bankinter Portugal pt.cgd.caixadirectaempresas Caixadirecta Empresas wit.android.bcpBankingApp.activoBank ActivoBank pt.sibs.android.mbway MB WAY wit.android.bcpBankingApp.millennium Millenniumbcp cgd.pt.caixadirectaparticulares Caixadirecta ca.mobile.explorer CA Mobile pt.cgd.caderneta Caderneta https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 26 of 35 Package Name App Name pt.bancobest.android.mobilebanking Best Bank com.QIIB QIIB Mobile com.pozitron.qib QIB Mobile com.db.mobilebanking Doha Bank Mobile Banking com.cbq.CBMobile CBQ Mobile com.advantage.RaiffeisenBank Raiffeisen Smart Mobile ro.btrl.mobile Banca Transilvania at.spardat.bcrmobile Touch 24 Banking BCR com.tabtrader.android TabTrader Buy Bitcoin and Ethereum on exchanges com.microsoft.office.outlook Microsoft Outlook: Organize Your Email & Calendar clientapp.swiftcom.org ePayments: wallet & bank card com.alinma.retail.mobile Alinma Bank com.acceltree.mtc.screens Alawwal Mobile com.urpay.consumer urpay sa.com.stcpay stc pay com.alrajhiretailapp Al Rajhi Mobile com.riyadbank.strategic RiyadBank Mobile com.mbc.anb.keystore ANB Mobile~ Arab National Bank sa.alrajhibank.tahweelapp Tahweel Al Rajhi KSA com.samba.mb SambaMobile com.saib.banking.mobile.android SAIB com.sa.gazt.ZakatCalculator Zakaty - زكاتي com.kubi.kucoin KuCoin: Bitcoin Exchange & Crypto Wallet com.dbs.sg.dbsmbanking DBS digibank SG com.dbs.sg.posbmbanking POSB digibank com.citibank.mobile.sg Citibank SG co.bitx.android.wallet Luno: Buy Bitcoin, Ethereum and Cryptocurrency https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 27 of 35 Package Name App Name com.uob.mighty.app UOB Mighty Singapore com.booking Booking.com: Hotels, Apartments & Accommodation sk.vub.mobile VÚB Mobile Banking com.anz.transactive.global ANZ Transactive - Global com.vipera.ts.starter.QNB QNB Mobile es.cm.android Bankia www.ingdirect.nativeframe ING España. Banca Móvil app.wizink.es WiZink, tu banco senZillo com.rsi ruralvía com.targoes_prod.bad TARGOBANK - Banca a distancia com.santander.bpi Santander Private Banking com.tecnocom.cajalaboral Banca Móvil Laboral Kutxa com.rsi.Colonya Colonya Caixa Pollença com.kutxabank.android Kutxabank es.bancosantander.apps Santander es.bancosantander.empresas Santander Empresas es.bancosantander.wallet Santander Wallet es.caixagalicia.activamovil ABANCA- Banca Móvil es.caixageral.caixageralapp Banco Caixa Geral España es.caixaontinyent.caixaontinyentapp Caixa Ontinyent es.cecabank.ealia2103appstore UniPay Unicaja es.ceca.cajalnet Cajalnet es.evobanco.bancamovil EVO Banco móvil es.ibercaja.ibercajaapp Ibercaja es.lacaixa.mobile.android.newwapicon CaixaBank es.liberbank.cajasturapp Banca Digital Liberbank es.openbank.mobile Openbank – banca móvil es.orangebank.app Orange Bank - Banco Móvil https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 28 of 35 Package Name App Name es.pibank.customers Pibank es.santander.Criptocalculadora Criptocalculadora es.santander.money Santander Money Plan es.unicajabanco.app Unicaja Banco es.univia.unicajamovil UnicajaMovil com.indra.itecban.triodosbank.mobile.banking Triodos Bank. Banca Móvil com.indra.itecban.mobile.novobanco NBapp Spain com.imaginbank.app imaginBank - Your mobile bank com.westernunion.moneytransferr3app.es Western Union ES - Send Money Transfers Quickly com.grupocajamar.wefferent Grupo Cajamar com.db.pbc.mibanco Mi Banco db com.db.pbc.DBPay DB Pay com.v2msoft.contasimple Contasimple - Invoices, estimates & delivery notes com.cajasur.android Cajasur com.cajasiete.android.cajasietereport Report com.cajaingenieros.android.bancamovil Caja de Ingenieros Banca MÓVIL com.bbva.bbvacontigo BBVA Spain com.bankinter.launcher Bankinter Móvil com.bankinter.empresas Bankinter Empresas com.bankinter.bkwallet Bankinter Wallet com.bankia.wallet Bankia Wallet com.bancsabadell.wallet Sabadell Wallet com.bancocajasocial.geolocation Banco Caja Social Móvil net.inverline.bancosabadell.officelocator.android Banco Sabadell App. Your mobile bank com.mediolanum Banco Mediolanum España com.abanca.bancaempresas ABANCA Empresas com.bbva.netcash BBVA Net Cash - ES & PT https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 29 of 35 Package Name App Name com.ubs.swidKXJ.android UBS Mobile Banking: E-Banking and mobile pay ch.autoscout24.autoscout24 AutoScout24 Switzerland – Find your new car com.spotify.music Spotify: Listen to new music, podcasts, and songs com.krungsri.kma KMA ktbcs.netbank Krungthai NEXT com.scb.phone SCB EASY com.kasikorn.retail.mbanking.wap K PLUS com.pozitron.iscep İşCep - Mobile Banking com.anadolubank.android Anadolubank Mobil com.mobillium.papara Papara com.vakifbank.mobile VakıfBank Mobil Bankacılık trendyol.com Trendyol - Hızlı ve Güvenli Alışverişin Yolu com.ykb.android Yapı Kredi Mobile tr.com.hsbc.hsbcturkey HSBC Turkey finansbank.enpara.sirketim Enpara.com Şirketim Cep Şubesi com.teb CEPTETEB finansbank.enpara Enpara.com Cep Şubesi com.aktifbank.nkolay N Kolay com.kuveytturk.mobil Kuveyt Türk com.btcturk.pro BtcTurk - PRO - Bitcoin Al-Sat com.btcturk BtcTurk Bitcoin Borsası com.ziraatkatilim.mobilebanking Katılım Mobil com.denizbank.mobildeniz MobilDeniz com.tfkb Türkiye Finans Mobile Branch com.paribu.app Paribu com.garanti.cepsubesi Garanti BBVA Mobile tr.com.sekerbilisim.mbank ŞEKER MOBİL ŞUBE com.albarakaapp Albaraka Mobile Banking https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 30 of 35 Package Name App Name tr.gov.turkiye.edevlet.kapisi e-Devlet Kapısı com.mobillium.btcturk BtcTurk - Bitcoin Al/Sat com.tmobtech.halkbank Halkbank Mobil com.akbank.android.apps.akbank_direkt Akbank com.pttfinans PTTBank com.magiclick.odeabank Odeabank paladyum.peppara PeP: Para Transferi Sanal Kart com.ziraat.ziraatmobil Ziraat Mobile com.ingbanktr.ingmobil ING Mobil com.amazon.sellermobile.android Amazon Seller com.airbitz Bitcoin Wallet - Airbitz com.liv.android Liv. - Digital Lifestyle Bank com.emiratesnbd.android ENBD X com.NBQBank NBQBANK com.dib.app DIB MOBILE com.vipera.ts.starter.MashreqAE Mashreq UAE com.adib.mobile ADIB Mobile Banking App com.mashreq.NeoApp Mashreq Neo - Bank easy com.mbanking.ajmanbank Ajman Bank com.uab.personal United Arab Bank Mobile com.s4m EI Bank com.cbd.mobile CBD com.vipera.nbf NBF Direct App com.scb.ae.bmw SC Mobile Banking (UAE) com.myc3card.app C3Pay com.aaib AAIB Mobile ae.almasraf.mobileapp Al Masraf com.bankfab.pbg.ae.dubaifirst Dubai First com.sib.retail SIB Digital https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 31 of 35 Package Name App Name enbd.mobilebanking Emirates NBD com.infosys.alh Al Hilal Mobile Banking App ae.ahb.digital Al Hilal Digital com.rak RAKBANK Digital Banking uk.co.hsbc.hsbcukmobilebanking HSBC UK Mobile Banking com.virginmoney.cards Virgin Money Credit Card com.barclays.android.barclaysmobilebanking Barclays uk.co.santander.santanderUK Santander Mobile Banking com.grppl.android.shell.halifax Halifax: the banking app that gives you extra com.rbs.mobile.android.rbs Royal Bank of Scotland Mobile Banking uk.co.mbna.cardservices.android MBNA - Card Services App com.grppl.android.shell.CMBlloydsTSB73 Lloyds Bank Mobile Banking: by your side uk.co.tescomobile.android Tesco Mobile com.grppl.android.shell.BOS Bank of Scotland Mobile Banking: secure on the go com.rbs.mobile.android.natwest NatWest Mobile Banking uk.co.metrobankonline.mobile.android.production Metro Bank com.transferwise.android TransferWise Money Transfer com.revolut.revolut Revolut - Get more from your money uk.co.tsb.newmobilebank TSB Mobile Banking com.ie.capitalone.uk Capital One UK com.cooperativebank.bank The Co-operative Bank com.csam.icici.bank.imobile iMobile by ICICI Bank co.uk.Nationwide.Mobile Nationwide Banking App com.zenithBank.eazymoney Zenith Bank Mobile App me.cryptopay.android C.PAY com.att.myWireless myAT&T com.ubercab.eats Uber Eats: Food Delivery com.unionbank.ecommerce.mobile.android Union Bank Mobile Banking https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 32 of 35 Package Name App Name com.usaa.mobile.android.usaa USAA Mobile com.usbank.mobilebanking U.S. Bank - Inspired by customers com.viber.voip Viber Messenger - Messages, Group Chats & Calls com.pnc.ecommerce.mobile PNC Mobile com.wallet.crypto.trustapp Trust: Crypto & Bitcoin Wallet com.wf.wellsfargomobile Wells Fargo Mobile co.mona.android Crypto.com - Buy Bitcoin Now com.woodforest Woodforest Mobile Banking com.navyfederal.android Navy Federal Credit Union com.yahoo.mobile.client.android.mail Yahoo Mail – Organized Email com.zellepay.zelle Zelle com.mtb.mbanking.sc.retail.prod M&T Mobile Banking com.morganstanley.clientmobile.prod Morgan Stanley Wealth Mgmt com.mfoundry.mb.android.mb_136 People’s United Bank Mobile com.mcom.firstcitizens First Citizens Mobile Banking com.mbankuae.amcb MBank UAE com.mail.mobile.android.mail mail.com mail com.konylabs.capitalone Capital One® Mobile com.key.android KeyBank Mobile com.infonow.bofa Bank of America Mobile Banking com.imo.android.imoim imo free video calls and chat com.icsfs.jkb JKB-Mobile com.huobionchainwallet.gp HuobiWallet com.google.android.apps.nbu.paisa.user Google Pay com.ebos.bos eBOS Mobile com.discoverfinancial.mobile Discover Mobile com.compasssavingsbank.mobile Compass Savings Bank com.clairmail.fth Fifth Third Mobile Banking https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 33 of 35 Package Name App Name com.citizensbank.androidapp Citizens Bank Mobile Banking com.citi.mobile.ccc CitiManager – Corporate Cards com.citi.citimobile Citi Mobile® com.chase.sig.android Chase Mobile com.botw.mobilebanking Bank of the West Mobile com.bbt.myfi U by BB&T com.barclaycardus Barclays US com.BanqueMisr.MobileBanking BM Online com.arabbank.arabimobilev2 Arabi-Mobile com.aol.mobile.aolapp AOL - News, Mail & Video com.americanexpress.android.acctsvcs.us Amex com.ally.MobileBanking Ally Mobile com.alahli.quickpay SNB QuickPay com.alahli.mobile.android SNB AlAhli Mobile com.adcb.cbgdigi ADCB Hayyak: Start your banking relationship now! com.schwab.mobile Schwab Mobile com.suntrust.mobilebanking SunTrust Mobile App com.tdbank TD Bank (US) com.robinhood.android Robinhood - Investment & Trading, Commission-free com.uba.vericash UBA Mobile Banking com.ubercab Uber - Request a ride com.amazon.mShop.android.shopping Amazon Shopping - Search, Find, Ship, and Save com.uy.itau.appitauuypf Itaú Uruguay uy.com.brou.token BROU Llave Digital uy.brou App Móvil del Banco República com.accessbank.accessbankapp Access Bank plc com.bitpanda.bitpanda Bitpanda - Buy Bitcoin in minutes https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 34 of 35 Source: https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html https://www.threatfabric.com/blogs/hook-a-new-ermac-fork-with-rat-capabilities.html Page 35 of 35