ERMAC Android malware source code leak exposes banking trojan infrastructure

The source code for version 3 of the ERMAC Android banking trojan has been leaked online, exposing the internals of the malware-as-a-service platform and the operator’s infrastructure.

The code base was discovered in an open directory by Hunt.io researchers while scanning for exposed resources in March 2024.

They located an archive named Ermac 3.0.zip, which contained the malware’s code, including backend, frontend (panel), exfiltration server, deployment configurations, and the trojan’s builder and obfuscator.

The researchers analyzed the code, finding that it significantly expanded the targeting capabilities compared to previous versions, with more than 700 banking, shopping, and cryptocurrency apps.

ERMAC was first documented in September 2021  by ThreatFabric – a provider of online payment fraud solutions and intelligence for the financial services sector, as an evolution of the Cerberus banking trojan operated by a threat actor known as ‘BlackRock.’

ERMAC v2.0 was spotted by ESET in May 2022, rented to cybercriminals for a monthly fee of $5,000, and targeting 467 apps, up from 378 in the previous version.

In January 2023, ThreatFabric observed BlackRock promoting a new Android malware tool named Hook, which appeared to be an evolution of ERMAC.

ERMAC v3.0 capabilities

Hunt.io found and analyzed ERMAC’s PHP command-and-control (C2) backend, React front-end panel, Go-based exfiltration server, Kotlin backdoor, and the builder panel for generating custom trojanized APKs.

According to the researchers, ERMAC v3.0 now targets sensitive user information in more than 700 apps.

Additionally, the latest version expands on previously documented form-injection techniques, uses AES-CBC for encrypted communications, features an overhauled operator panel, and enhances data theft and device control.

Specifically, Hunt.io has documented the following capabilities for the latest ERMAC release:

• Theft of SMS, contacts, and registered accounts
• Extraction of Gmail subjects and messages
• File access via ‘list’ and ‘download’ commands
• SMS sending and call forwarding for communication abuse
• Photo capturing via the front camera
• Full app management (launch, uninstall, clear cache)
• Displaying fake push notifications for deception
• Uninstalls remotely (killme) for evasion

Infrastructure exposed

Hunt.io analysts used SQL queries to identify live, exposed infrastructure currently used by the threat actors, identifying C2 endpoints, panels, exfiltration servers, and builder deployments.

Apart from exposing the malware’s source code, the ERMAC operators had several other major opsec failures, including hardcoded JWT tokens, default root credentials, and no registration protections on the admin panel, allowing anyone to access, manipulate, or disrupt ERMAC panels.

Finally, the panel names, headers, package names, and various other operational fingerprints left little doubt about attribution and made discovery and mapping of the infrastructure a lot easier.

The ERMAC V3.0 source code leak weakens the malware operation, first by eroding customer trust in the MaaS in its ability to protect information from law enforcement or allow running campaigns with low detection risk.

Threat detection solutions are also likely to get better at spotting ERMAC. However, if the source code falls into the hands of other threat actors, it is possible to observe in the future modified variants of ERMAC that are more difficult to detect.