Leaked Source Code Exposes ERMAC 3.0: A Dangerous Trojan with Flawed Security
Researchers at Hunt.io have published an in-depth analysis of the Android banking trojan ERMAC 3.0, uncovering not only its enhanced capabilities but also severe flaws within its infrastructure. This iteration expands upon the functionality of its predecessors, introducing new form-injection techniques and broadening its target list to more than 700 applications spanning online banking, e-commerce, and cryptocurrency services.
ERMAC was first documented in 2021 by ThreatFabric, when experts were drawn to its ability to overlay application interfaces in order to intercept user data. The trojan was developed by a hacker operating under the alias DukeEugene, and is considered a derivative of the Cerberus and BlackRock malware families. Over time, its source code spawned other projects—including Hook (also known as ERMAC 2.0), Pegasus, and Loot—all of which inherited elements of the original framework.
The present analysis by Hunt.io was made possible due to the leak of the full source code of this malware-as-a-service platform. The leak exposed the complete ecosystem: a PHP and Laravel backend, a React-based frontend, a Go-based server for exfiltrated data, and an Android application builder panel. This comprehensive toolkit provides rare insight into the architecture of the trojan.
The architecture is divided into multiple layers. A central command-and-control server allows attackers to monitor infected devices and harvest collected data, including SMS messages, account credentials, and technical device information. The web panel enables attackers to issue commands, configure overlays, and manage stolen data, while a dedicated Go server handles the transmission of exfiltrated information. The malware itself, written in Kotlin, communicates with the central C2 infrastructure to execute commands and gather sensitive data.
Notably, ERMAC intentionally avoids activating on devices located in CIS countries. It also features a custom builder that enables “clients” to configure builds—defining app names, servers, and other parameters of their campaigns.
Version 3.0 introduces refined form-grabbing techniques, a new Android backdoor, an upgraded control panel, and encrypted communication channels utilizing AES-CBC. Yet despite these advancements, its infrastructure is riddled with vulnerabilities.
Researchers discovered a hardcoded JWT secret, a static admin token, default root credentials, and even the ability to create new administrator accounts without restrictions. These oversights render the system highly exploitable, allowing defenders to monitor and disrupt active campaigns.
Thus, ERMAC 3.0 epitomizes the dual nature of modern malware: on one hand, a dangerous and evolving tool with advanced functionalities; on the other, a flawed project plagued with critical implementation errors that can easily backfire against its creators.
