ERMAC 3.0 Source Code Leak: Evolution of a Growing Android Banking Trojan Threat

TL;DR

• Researchers at Hunt.io obtained the full source code of ERMAC 3.0, an advanced Android banking trojan targeting 700+ banking, shopping, and cryptocurrency apps.
• The malware has evolved from Cerberus and Hook, incorporating new features like form injection, AES-CBC encryption, and a web-based builder for custom campaigns.
• Vulnerabilities in its infrastructure, such as hardcoded secrets and weak credentials, provide defenders with opportunities to disrupt its operations.

---

Introduction

The cybersecurity landscape is constantly evolving, and one of the latest threats to emerge is ERMAC 3.0, an advanced Android banking trojan. Researchers at Hunt.io recently obtained the full source code of this malware, revealing its evolution from earlier versions like Cerberus and Hook. This leak exposes not only the malware’s expanded capabilities but also critical vulnerabilities that cybersecurity defenders can exploit to mitigate its impact.

ERMAC 3.0 is designed to target over 700 banking, shopping, and cryptocurrency applications, making it a significant threat to users worldwide. Its operators, linked to the threat actor DukeEugene, have transformed it into a Malware-as-a-Service (MaaS) platform, allowing cybercriminals to customize and deploy attacks with ease.

---

The Evolution of ERMAC: From Cerberus to ERMAC 3.0

Origins and Development

ERMAC was first discovered in July 2021 by researchers at ThreatFabric. Its initial version was heavily based on the Cerberus banking trojan, whose source code was leaked in September 2020 after its operators failed an auction on underground hacking forums. By late 2023, ERMAC had evolved into version 2.0, incorporating significant portions of the Hook botnet’s codebase¹.

The newly uncovered ERMAC 3.0 represents a major leap in sophistication, expanding its form injection and data theft capabilities to target a broader range of applications. This evolution highlights the malware’s adaptability and the growing threat it poses to Android users.

Key Features of ERMAC 3.0

ERMAC 3.0 introduces several enhanced features, including:

• Form Injection Attacks: The malware uses custom form injects to capture sensitive data, such as login credentials and payment information, from targeted applications.
• AES-CBC Encryption: All communications between the malware and its Command and Control (C2) servers are encrypted using AES-CBC, making detection and analysis more challenging.
• Web-Based Builder: Operators can customize campaigns using a web-based builder, allowing for tailored attacks on specific targets.
• Android Backdoor: The malware includes a Kotlin-based backdoor that supports 71 languages and enables extensive command execution, such as:
  • Stealing SMS messages and contacts.
  • Deploying fake overlays to capture credentials.
  • Call forwarding and Gmail theft.
  • Accessing files and taking photos without user consent.
• Geographic Exclusions: ERMAC 3.0 avoids targeting systems in CIS (Commonwealth of Independent States) regions and refrains from running in emulators, likely to evade detection.

---

Vulnerabilities in ERMAC’s Infrastructure

Exposed Weaknesses

The leak of ERMAC 3.0’s source code revealed several critical vulnerabilities in its infrastructure:

• Hardcoded Secrets: The source code contains hardcoded JSON Web Tokens (JWT) and static tokens, which could be exploited by defenders to disrupt its operations.
• Default Credentials: Weak or default credentials were found in the backend and frontend systems, making unauthorized access easier.
• Open Registration: The malware’s C2 panel allows for open registration, potentially enabling defenders to infiltrate and monitor its activities.
• Active Servers: Despite these vulnerabilities, ERMAC’s C2 panels, APIs, and exfiltration servers remain active, confirming its status as an evolving MaaS platform.

Defensive Strategies

Cybersecurity experts recommend several countermeasures to mitigate the threat posed by ERMAC 3.0:

• Blocking Overlays: Implement secure Android permissions, such as FLAG_SECURE, to prevent malware from placing overlays on legitimate apps.
• Detecting Malicious Activity: Regularly scan for active C2 and exfiltration servers linked to ERMAC and block applications referencing known malicious IPs or domains.
• Monitoring for Vulnerabilities: Use tools like HuntSQL queries to map and track ERMAC’s infrastructure, enabling proactive disruption of its campaigns.

---

Why ERMAC 3.0 Matters

The leak of ERMAC 3.0’s source code is a double-edged sword:

• For Cybercriminals: It provides a blueprint for launching sophisticated attacks, potentially leading to an increase in financial fraud and data breaches.
• For Defenders: It offers valuable insights into the malware’s operations, enabling the development of effective countermeasures.

As ERMAC continues to evolve, its expanded targeting capabilities and MaaS model make it a persistent and adaptable threat. Organizations and individuals must remain vigilant and adopt proactive cybersecurity measures to protect against this growing menace.

---

Conclusion

The ERMAC 3.0 source code leak underscores the rapid evolution of Android banking trojans and their increasing sophistication. With its ability to target hundreds of applications and its customizable attack capabilities, ERMAC 3.0 poses a significant risk to users worldwide. However, the exposed vulnerabilities in its infrastructure provide cybersecurity defenders with a unique opportunity to disrupt its operations and mitigate its impact.

Staying informed about such threats and implementing robust defensive strategies is crucial for safeguarding against the ever-evolving landscape of cyber threats.

---

Additional Resources

For further insights, check:

• ThreatFabric’s Analysis of ERMAC
• NCC Group’s Research on ERMAC and Hook
• Hunt.io’s Report on ERMAC 3.0

---

References

1. ThreatFabric (2021). “ERMAC: Another Cerberus Reborn”. Retrieved 2025-08-17. ↩︎