{Warning}: ERMAC - Cerberus 2.0 and more

[Baofeng]

{Warning}: Cerberus Android Malware Can Bypass 2FA, Unlock Devices Remotely.

It looks like that the Cerberus Malware has evolved and been improved by another group of threat actors.

Compared to the original Cerberus, ERMAC uses different encryption scheme in communication with the C2: the data is encrypted with AES-128-CBC, and prepended with double word containing the length of the encoded data:

The commands ERMAC receives and processes, are almost identical to the latest Cerberus commands. A couple of commands are added that can clear the cache of the specified application and steal device accounts

Mode of infection:

We were able to identify several campaigns with ERMAC involved. The first major campaign started in late August where ERMAC was masquerading as Google Chrome. We have also seen ERMAC masquerading as antivirus, banking, and media player apps.

Targeted applications:






And there are a lot of applications, specially banking, and then those who have used like Amazon.

So stay away from the usual mode of attack/infection from this cyber actors. Check everything before you download any apps to your mobile phones.

https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html

[DdmrDdmr]

I went through the crypto related targeted applications (at least the ones I made out), and it’s actually quite extensive:

bitbank - Bitcoin & Ripple Wallet
Edge - Bitcoin, Ethereum, Monero, Ripple Wallet
Bitcoin Wallet – Airbitz
Binance - Buy & Sell Bitcoin Securely
Bitfinex
Aplikacja Bitmarket
BitPay – Secure Bitcoin Wallet
Coinbase – Buy & Sell Bitcoin. Crypto Wallet
EO.Finance: Buy and Sell Bitcoin. Crypto Wallet
EXMO Official - Trading crypto on the exchange
Pro: Advanced Bitcoin & Crypto Trading (Kraken)
Mycelium Bitcoin Wallet
Paxful Bitcoin Wallet
Bitcoin Wallet - Buy BTC (Polehin)
CEX.IO Cryptocurrency Exchange
Bitcoin Wallet Coincheck

Besides there are tons of banking apps, and even some common elements such as Telegram and Outlook.

The article cites that it is guised in current distributions as antivirus, banking, media player, and chrome but those can and will change, as any pretext app may be devised for these matters.

[bL4nkcode]

Their target victims are new users/installations huh, a good practice to avoid this is to click the download button or redirect button from the official website of the app instead of using the search function of every app distribution platforms such appstore and playstore. But the website can be hacked too and the download links can be changed as well but that's a different case.

[The Cryptovator]

Often I received spam mail about free Bitcoin or something like this free offer. It's required to click on the link and it's quite suspicious links. So I never bothered to click this kind of link because of malware fear. Usually, I don't install unnecessary apps on my device if I am not well familiar with that apps. Because most attackers use apps and spam mail to hack our devices. So we need to control our greed once find a greedy offer.

Thanks OP, for sharing it with the community. It's a lesson for us, not only for newbies.

[cryptomaniac_xxx]

This is really very dangerous, Cerberus is already one of the biggest threat out there and now they have developed more sophisticated iteration of the said malware. And this is the another danger of one group working with another one.

There are a lot of crypto applications that majority of us have been using for years, so this is another reminder to be very careful on downloading crypto apps on our devices.

[zanezane]

This is a scary malware, how can we contract this malware though? Because it's not said or is vague, it's a big help if we know how our devices get infected by this malware, hopefully everyone will stay safe, this is a scary one as it can bypass 2FA.

[stompix]

This is a scary malware, how can we contract this malware though? Because it's not said or is vague, it's a big help if we know how our devices get infected by this malware, hopefully everyone will stay safe, this is a scary one as it can bypass 2FA.

Fake apps in GS, apk downloaded from weird websites, that's the usual way to get it.
Don't download anything fishy, don't trust any website repository because even if they are legit they might be themselves hacked and are distributing malware, don't run any updated that pop in your browser, don't run any auto-downloaded stuff.
And of course, don't open random attachments from strangers.

Also, normally it would be better to not have the 2FA on the same smartphone you use for daily routine, or not install sensitive apps on it, carrying a wallet app with a few thousand around is dangerous even for real-life situations, not just malware attacks.

[zanezane]

~

Fake apps in GS, apk downloaded from weird websites, that's the usual way to get it.
Don't download anything fishy, don't trust any website repository because even if they are legit they might be themselves hacked and are distributing malware, don't run any updated that pop in your browser, don't run any auto-downloaded stuff.
And of course, don't open random attachments from strangers.

Also, normally it would be better to not have the 2FA on the same smartphone you use for daily routine, or not install sensitive apps on it, carrying a wallet app with a few thousand around is dangerous even for real-life situations, not just malware attacks.

We need to paint ways to detect if we are downloading safely, especially on phone because that's how some people get hacked or scammed, through their phones which, unlike a computer that has some sort of guard with the help from antivirus.