Dangerous Malware Targets Android Devices

Android OS Mobile Networks and Telephones
Advisory ID:
June 2, 2022


Ermac, a dangerous malware that targeted Android devices in 2021, has reappeared as Ermac 2.0. Ermac is a trojan that steals user credentials from banking apps and crypto wallets included in the list of targeted apps and sends them to threat actors. It currently targets 467 apps and is available for rent on the darknet for $5000 per month by threat actors.

Description & Consequence

The malware is typically distributed via a sophisticated phishing campaign or social media posts that direct the victim to a bogus site of a popular service and trick them into downloading an app laced with the trojan. The malware will then scan the device to determine which apps are installed and send the results back to the command and control (C2) server. It will then request 43 permissions from the victim's device, which, if granted, will grant the threat actors complete access to the compromised device. Deeper technical analysis of the malware revealed that it can grant itself permissions (via Accessibility) upon installation, including SMS access, contact access, system alert window creation, audio recording, and full storage read and write access. When the victim tries to launch the genuine application, the injection action takes place, and a phishing page is loaded on top of the actual GUI. The credentials are sent to the same C2 that supplied the injections.

After successful exploitation, login credentials for banking apps, cryptocurrency wallets or other asset management apps are stolen and used to commit fraud.


  1. Avoid downloading apps from untrusted and unauthorized sources.
  2. Apps downloaded from authorized sources should still be subjected to scrutiny.
  3. Scrutinize permission requests; do not grant permissions to apps that does not correlate with their functionality.
  4. Be wary of unsolicited emails or social media posts.



Related Articles