Android trojan steals information: targeted banking and wallet apps

Known mobile malware creators released a new banking trojan stealing financial data

Mobile malware was discovered running for a few months that targeted 378 mobile apps.

Android banking trojan analysis revealed that the ERMAC malware based on the known banking trojan, operated by the same group BlackRock, targeted many mobile applications where financial app logins can be stolen.^[1] The mobile trojan targets Poland and the coding based on Cerberus malware^[2] indicates the persistence and multiple functionalities.

The malware affected at least 378 applications with overlays that allowed malicious attackers to steal financial information. The trojan distribution started back in August with the help of a fake Google Chrome application. It was started with banking and wallet apps, but the range was expanded to other types of programs. This campaign includes media players, delivery services, government applications, antivirus tools, banking, and cryptocurrency wallets now.

Security researchers revealed^[3] all the similarities to the Cerberus malware and confirmed that the mobile trojan campaign, believed to be started on August 17. The promotional content online that offered actors to rent the Android threat with various functions for $3,000 a month, was published that day. The user registered the account just the day before he posted an advertisement in his profile:

Android botnet ERMAC. I will rent a new android botnet with wide functionality to a narrow circle of people (10 people). 3k$ per month. Details in PM.

BlackRock actors and their mobile malware

The notorious Android malware is pretty much a copy of the Cerberus malware, experts state. The company developing these mobile threats, known as BlackRock, can alter the code and make the trojan functioning as the particular actor needs. The user from those forum posts – DukeEugene is known as one of the criminals behind this group that was initially indicated back in July 2020.^[4]

Mobile malware is often can be altered to meet particular threat actor wants and needs. Keyloggers and information-stealers are the most common. Especially, when the financial data and cryptocurrency is the main target. This group is known for spreading such malicious pieces with silent methods of data-stealing. The particular code of the Cerberus got publicly released a year ago and used as a free Remote Access Trojan.^[5]

Besides similarities, ERMAC analysis shows that malware uses a Blowfish encryption scheme that allows actors to communicate with the piece via the C&C server. The main data attractive for these actors remain contact information, text messages. These details can be accessed then the overlay gets put on the financial applications, so login credentials can be obtained and used later in direct crypto stealing attacks.

Financial data and cryptocurrency remains a common target

These pieces that lack some powerful remote access trojan features or malicious codes still can easily get to those credentials, login information. However, the main goal is financial gain for such criminals because financial, banking, wallet applications provide the option to transfer funds to criminal-held accounts later on.

Recent campaigns of the direct money staling Firefox add-on surfaced.^[6] Malicious browser add-on named Safepal Wallet scammed cryptocurrency holders and emptied their wallets. It was actively downloaded from the application site for seven months. Phishing websites and other malicious platforms were sued to push the piece online.

This is a major thing because people lost thousands to these scammers. Threat actors target cryptocurrency wallets, other financial applications, and platforms because it is a go-to currency for malware creators and can often not be easily traced when payments get made to scammers' accounts. You need to be careful with the security and privacy, but also with transferring cryptocurrency online.