Ermac, a notorious Android banking trojan, has seen its threat profile expand significantly with the latest leak of its source code, ERMAC 3.0. According to Hunt.io cybersecurity researchers, this version of the malware builds upon its predecessors, Cerberus and Hook, targeting over 700 financial applications, including banking, shopping, and cryptocurrency apps.

The discovery was made when researchers obtained the full source code of ERMAC 3.0 from an open directory on the internet. The leak revealed a significant evolution in the malware's capabilities, including new form injection methods, a C2 panel, Android backdoor, and AES-CBC comms. This confirms ERMAC as an active Mobile-as-a-Service (MaaS) platform.

The source code of ERMAC 3.0 was first released by DukeEugene, the threat actor behind the BlackRock mobile malware. The researchers noted that the earliest versions of ERMAC were almost fully based on the popular banking trojan Cerberus. The source code of Cerberus was leaked in September 2020 on underground hacking forums after its operators failed an auction.

According to experts, ERMAC primarily leverages form injects for capturing sensitive data. This is done by serving custom form injects through the public/injects directory. The malware targets financial applications with a large focus on mobile banking and cryptocurrency applications, capturing sensitive data such as login credentials or credit card data.

Hunt.io discovered the full ERMAC V3.0 source code on an open directory on 141[.]164[.]62[.]236. The leak includes backend (PHP/Laravel C2), frontend (React), Golang exfiltration server, Docker configs, and builder. Analysis showed extensive operator control via form injects targeting 700+ apps, mainly banking and crypto, exfiltrating credentials via Android callbacks.

Researchers uncovered multiple vulnerabilities in the malware, including a hardcoded JWT, default root credentials, and open registration. Panels and exfil servers remain active, confirming ERMAC as an evolving MaaS platform.

The malicious code relies on the Kotlin backdoor that supports 71 languages and encrypts traffic with AES-CBC. The malware does not target systems in CIS regions and avoids running in emulators. It requests elevated permissions for its execution, can exfiltrate device data, and execute extensive commands, from stealing SMS and contacts to pushing fake overlays, call forwarding, Gmail theft, file access, and even taking photos.

A web-based builder lets operators customize campaigns. Hunt.io mapped its live C2 panels, APIs, and exfil servers via HuntSQL queries, aiding defenders in tracking and disrupting ERMAC's infrastructure.

“ERMAC targets users of banking, shopping, and other financial applications primarily through web injects. It relies on Android’s WebView API to place an overlay on top of legitimate apps, capturing credentials and payment information. Implementing secure Android permissions such as FLAG_SECURE and using code to detect or block overlays can reduce exposure to this technique.” concludes the report.

“Defenders can also focus on identifying and disrupting ERMAC infrastructure. Regularly scan for active C2 and exfiltration servers, and block Android applications that reference known ERMAC IPs or domains.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Note: This is a detailed version of the original article, rewritten in HTML for better readability. The content includes paragraphs (

tags) for easier understanding.