Cybersecurity researchers have disclosed the detailed architecture of ERMAC 3.0, an Android banking trojan with enhanced capabilities for targeting over 700 applications. The leaked source code exposed critical vulnerabilities in the malwareβs infrastructure, providing opportunities for defense strategies. #ERMAC3.0 #DukeEugene #AndroidTrojan #BankingMalware
Keypoints
- ERMAC 3.0 demonstrates expanded form injection and data theft features targeting banking, shopping, and cryptocurrency apps.
- The malwareβs source code was leaked from an open directory, revealing its backend, exfiltration server, and Android builder panel components.
- Components include a Command and Control (C2) server, frontend panel, Golang exfiltration server, and Kotlin-based Android backdoor.
- Security flaws such as hardcoded secrets, default credentials, and open registration on admin panels were identified, aiding detection and disruption efforts.
- ERMAC originated from an ancestor malware family, sharing code lineage with Hook, Pegasus, and Loot, and is linked to the threat actor DukeEugene.
Read More: https://thehackernews.com/2025/08/ermac-v30-banking-trojan-source-code.html