Full Report
The source code for version 3 of the ERMAC Android banking trojan has been leaked online, exposing the internals of the malware-as-a-service platform and the operator's infrastructure. [...]
Analysis Summary
# Tool/Technique: ERMAC Android Malware
## Overview
ERMAC is an Android banking trojan delivered as Malware-as-a-Service (MaaS). The recent leak of its source code exposes its infrastructure and capabilities, which include extensive data theft, device control, and communication abuse.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Android
- Capabilities: Data exfiltration (SMS, contacts, Gmail, files), remote control, SMS sending/call forwarding, device management, use of AES-CBC encryption for C2 communications.
- First Seen: Information not available in the provided context, but recent improvements (V3.0) are discussed.
## MITRE ATT&CK Mapping
*Note: Specific T codes are inferred based on documented capabilities of Android banking/remote access trojans. Definitive mapping requires deeper technical analysis.*
- **TA0001 - Initial Access** (Inferred if distributed via malicious apps)
- **T1429 - Application Installation** (If installed via sideloading or malicious app stores)
- **TA0009 - Collection**
- **T1437 - Email Collection** (For Gmail subjects/messages)
- **T1431 - Contacts Discovery**
- **T1428 - SMS Messages**
- **TA0011 - Command and Control**
- **T1438 - Data Obfuscation** (Use of AES-CBC)
- **TA0005 - Defense Evasion**
- **T1565.001 - Remote Uninstall** (killme command)
## Functionality
### Core Capabilities
- **Data Theft:** Stealing SMS messages, contacts, registered accounts, and extracting Gmail subjects and messages.
- **File System Access:** Ability to `list` and `download` files from the device.
- **Communication Abuse:** Sending SMS messages and forwarding calls.
- **Device Control:** Full application management (launch, uninstall, clear cache).
### Advanced Features
- **Overlay Attacks:** Utilizes form-injection techniques for deception and credential harvesting.
- **Encrypted Communication:** Uses AES-CBC for secure communication with Command and Control (C2).
- **Deception:** Displays fake push notifications to trick users.
- **Evasion:** Features a remote uninstall command (`killme`) to destroy evidence/evade analysis.
- **Infrastructure Exposure:** Exposed source code, hardcoded JWT tokens, default root credentials, and unprotected admin panels were significant operational security (OpSec) failures.
## Indicators of Compromise
- **File Hashes:** Not available in the provided context.
- **File Names:** Not available in the provided context, but package names were exposed in the infrastructure details.
- **Registry Keys:** Not applicable (Android platform).
- **Network Indicators:** C2 endpoints, panels, and exfiltration servers were exposed but are not listed here as they cannot be defanged without specific values.
- **Behavioral Indicators:** Issuing commands like 'list', 'download', 'killme'; sending SMS; capturing photos via the front camera; displaying false push notifications.
## Associated Threat Actors
- The threat actors operating the ERMAC Malware-as-a-Service (MaaS) platform. Attribution details inferred from the exposure of operational fingerprints (panel names, package names).
## Detection Methods
- **Signature-based detection:** Likely detection based on known package names, unique strings, or known C2 communication patterns (now potentially outdated if threat actors update based on the leak).
- **Behavioral detection:** Monitoring for SMS sending/call forwarding, attempts to read Gmail/SMS databases, or launching the front camera unexpectedly.
- **YARA rules:** Not explicitly mentioned, but derivable from the leaked source code for static analysis.
## Mitigation Strategies
- **Prevention measures:** Strict enforcement of app installation policies (avoiding sideloading/untrusted sources).
- **Hardening recommendations:** Security standards for Android application development should prohibit hardcoding credentials (like JWT tokens) and ensure robust administrative panel security (e.g., registration protection, strong authentication).
- **Infrastructure Hardening:** The exposure highlights the need for securing C2 infrastructure and preventing unintended public exposure of administration interfaces.
## Related Tools/Techniques
- Other Android banking trojans that utilize form-injection and SMS interception techniques.
- Other MaaS platforms where source code leaks can negatively impact customer trust and operational security.