{ "id": "59cff058-e138-42d8-b930-95a662a80749", "created_at": "2026-04-06T00:06:31.418732Z", "updated_at": "2026-04-10T03:30:32.930245Z", "deleted_at": null, "sha1_hash": "a9b50e5ffdd6a64cc08fe675f2787f72f50a81d0", "title": "Cyble ERMAC Android Malware Increasingly Active", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1121314, "plain_text": "Cyble ERMAC Android Malware Increasingly Active\r\nBy cybleinc\r\nPublished: 2022-10-18 · Archived: 2026-04-05 21:14:12 UTC\r\nCRIL Investigates the resurgence of ERMAC Android Malware as an increasing number of users are falling prey\r\nto their phishing attacks.\r\nAndroid Users targeted through multiple Phishing themes\r\nCyble Research \u0026 Intelligence Labs (CRIL) recently identified a mass phishing campaign that delivers malicious\r\nAndroid executables. While investigating the samples, we identified these as ERMAC Banking Trojans.\r\nERMAC is an Android Banking Trojan that was first discovered in late August 2021, when it was found targeting\r\nPoland. The latest version of ERMAC 2.0 targets 467 applications and Threat Actor was renting it out for\r\n$5K/month on a cybercrime forum.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nPhishing Campaign Analysis\r\nThe campaign uses phishing websites that download fake applications that impersonate Google Wallet, PayPal,\r\nand Snapchat and trick the users into downloading and installing the malicious ERMAC APK on their Android\r\ndevices.\r\nAs part of the phishing campaign, the TA has registered specific typosquatted domains of popular Android\r\napplication hosting platforms such as Google PlayStore, APKPure, APKCombo, etc. The below image shows the\r\nWhois information of the IP address 103[.]109.101[.]137 hosting these phishing websites.\r\nhttps://blog.cyble.com/2022/10/18/ermac-android-malware-increasingly-active/\r\nPage 1 of 9\n\nFigure 1 – Whois Information of IP Address\r\nThe image below shows how the TA mimics the Google Play Store page, which downloads a malicious Android\r\nAPK, masquerading as a Google wallet when the user clicks on the “Install” button.\r\nFigure 2 – Google Play Store Phishing Website\r\n“Apkpure” is a third-party Android Application hub where Android applications can be hosted and downloaded for\r\nfree. The image below mimics the Apkpure Android application Store page, which downloads a malicious Android\r\nAPK, masquerading as a PayPal application.\r\nhttps://blog.cyble.com/2022/10/18/ermac-android-malware-increasingly-active/\r\nPage 2 of 9\n\nFigure 3 – Apkpure Phishing Website\r\nSimilar to Apkpure, APKCombo is also a free Android Application hosting place. The below image mimics the\r\nAPKCombo Android application Store page, which downloads a malicious Android APK, masquerading as a\r\ntrading application.\r\nFigure 4 – APKCombo Phishing Website\r\nhttps://blog.cyble.com/2022/10/18/ermac-android-malware-increasingly-active/\r\nPage 3 of 9\n\nThe TA also created a phishing website to target PayPal users. The below image shows a fake website that\r\ndownloads a malicious Android APK, masquerading as a PayPal application when the user clicks on the\r\n“Download” button.\r\nFigure 5 – PayPal Phishing Website\r\nThe TA even targets the users of “VidMate.” The VidMate application downloads multimedia files hosted on\r\nvarious popular websites, including YouTube, Facebook, Instagram, etc. The below image shows a fake website\r\nthat downloads a malicious Android APK, masquerading as the official VidMate application.\r\nhttps://blog.cyble.com/2022/10/18/ermac-android-malware-increasingly-active/\r\nPage 4 of 9\n\nFigure 6 – VidMate Phishing Website\r\nThe TA also targets popular chat application users. The below\r\nimage depicts a fake Snapchat website that downloads a malicious APK file.\r\nhttps://blog.cyble.com/2022/10/18/ermac-android-malware-increasingly-active/\r\nPage 5 of 9\n\nFigure 7 – Snapchat Phishing Website\r\nUpon successful execution of the executable, ERMAC Android malware steals sensitive data such as contacts and\r\nSMSs, and a list of installed applications from the user’s device.\r\nThe malware captures the list of installed applications to steal credentials by loading phishing pages on the\r\nvictim’s device screen. During infection, the malware connects the Command and Control (C\u0026C) server using a\r\nPOST request, as shown below.\r\nFigure 8 – Communication with C\u0026C\r\nWe observed the ERMAC admin panel hosted on the same IP as shown in the figure below.\r\nhttps://blog.cyble.com/2022/10/18/ermac-android-malware-increasingly-active/\r\nPage 6 of 9\n\nFigure 9 – ERMAC Admin Panel\r\nConclusion\r\nSince over 70% of mobile users use Android devices, attacks on Android devices have proportionally scaled with\r\nthe importance and widespread use of Android OS. This is the primary reason that TAs use various sophisticated\r\ntechniques to deliver malicious Android payloads.\r\nIn this case, the TAs use phishing techniques by mimicking several popular and legitimate websites to deliver the\r\nERMAC Android payload.\r\nCyble Research \u0026 Intelligence Labs constantly monitors active phishing campaigns and keeps our readers updated\r\nwith our latest findings about phishing and other types of data-stealing attacks.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic. \r\nRegularly monitor your financial transactions, and contact your bank immediately if you notice any\r\nsuspicious activity. \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile. \r\nRefrain from opening untrusted links and email attachments without verifying their authenticity\r\nhttps://blog.cyble.com/2022/10/18/ermac-android-malware-increasingly-active/\r\nPage 7 of 9\n\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n8692e3212dc590c254020450bdee7003 MD5\r\nERMAC\r\nAPK\r\n1b9600d9ba73aeb09bd8d75bd1ae73d75eac6232 SHA1\r\nERMAC\r\nAPK\r\n8e9a45e5ac00332d83afa5efb5c5ed92e38280c7da7b7a5f6ae5577e2271cb26 SHA256\r\nERMAC\r\nAPK\r\nhxxp://apk-combos[.]com/ URL\r\nPhishing\r\nsite\r\nhxxps://paltpal-apk[.]com/ URL\r\nPhishing\r\nsite\r\nhxxps://m-apkpures[.]com/ URL\r\nPhishing\r\nsite\r\nhxxps://payce-google[.]com/ URL\r\nPhishing\r\nsite\r\nhxxp://payse-google[.]com/ URL\r\nPhishing\r\nsite\r\nhxxps://vidmates-app[.]com/ URL\r\nPhishing\r\nsite\r\nhxxps://app-vidmates[.]com/ URL\r\nPhishing\r\nsite\r\nhxxp://www.app-vidmates[.]link/ URL\r\nPhishing\r\nsite\r\nhxxp://app-vidmate[.]com/ URL\r\nPhishing\r\nsite\r\nhxxps://snacpchat-apk[.]com/ URL\r\nPhishing\r\nsite\r\nhxxp://193.106.191[.]121:3434/yy.php/ URL C\u0026C URL\r\nhxxp://193.106.191[.]121/ URL ERMAC\r\nAdmin\r\nhttps://blog.cyble.com/2022/10/18/ermac-android-malware-increasingly-active/\r\nPage 8 of 9\n\nPanel\r\n103[.]109.101[.]137 URL\r\nIP hosting\r\nphishing\r\nsites\r\nSource: https://blog.cyble.com/2022/10/18/ermac-android-malware-increasingly-active/\r\nhttps://blog.cyble.com/2022/10/18/ermac-android-malware-increasingly-active/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.cyble.com/2022/10/18/ermac-android-malware-increasingly-active/" ], "report_names": [ "ermac-android-malware-increasingly-active" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775433991, "ts_updated_at": 1775791832, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a9b50e5ffdd6a64cc08fe675f2787f72f50a81d0.pdf", "text": "https://archive.orkl.eu/a9b50e5ffdd6a64cc08fe675f2787f72f50a81d0.txt", "img": "https://archive.orkl.eu/a9b50e5ffdd6a64cc08fe675f2787f72f50a81d0.jpg" } }