Ermac

ERMAC is a malicious software (malware) that was first observed in 2021 as a banking trojan. It targets over 450 financial and social media applications, with its core features designed to send SMS messages, display phishing windows on top of legitimate apps, extract lists of installed applications, gather SMS messages, and siphon recovery seed phrases for multiple cryptocurrency wallets. ERMAC was built on the Cerberus codebase, and later identified as a predecessor to another malware called Hook. Despite some modifications introduced by ERMAC and Alien, it shares many similarities with other malwares derived from the same source code. In January 2023, ThreatFabric documented Hook, describing it as an "ERMAC fork" offered for sale on underground forums for $7,000 per month. A subsequent analysis revealed that Hook is indeed based on ERMAC, with both sharing nearly identical implementations for the 30 commands that a malware operator can send to an infected device. The majority of their command-and-control (C2) servers are located in Russia, followed by the Netherlands, the UK, the US, Germany, France, Korea, and Japan. Despite some differences between ERMAC and Hook, they both have the ability to log keystrokes and exploit Android's accessibility services to conduct overlay attacks. These attacks allow the malware to display content over other apps, enabling them to steal credentials from over 700 different apps. In a technical analysis published last week, NCC Group security researchers Joshua Kamp and Alberto Segura confirmed that the ERMAC source code was used as a base for Hook.