Intro
On July 23 a forum post appeared regarding a new Android banking trojan. The attached screenshots show that it is named ERMAC. Our investigation shows that ERMAC is almost fully based on the well-known banking trojan Cerberus, and is being operated by BlackRock actor(s).
Context
On August 17, a forum member named “ermac” invited anyone interested in this topic to send a PM to make a deal. The user registered just the day before and posted a similar advertisement in his profile. Interestingly enough, the topic starter said that he found the contact 4 days earlier. On the same day, another forum member, “DukeEugene”, posted a message in his account:
“Android botnet ERMAC. I will rent a new android botnet with wide functionality to a narrow circle of people (10 people). 3k$ per month. Details in PM.”
DukeEugene is known as an actor behind the BlackRock banking trojan that we discovered in 2020. DukeEugene claimed to be the one of the actors shortly after we published our discovery.
We believe that DukeEugene switched from using BlackRock in its operations to ERMAC, as we no longer saw fresh BlackRock samples since the first mentions of ERMAC. One of the reasons behind it could be that BlackRock was discredited: DukeEugene claimed on the forum that one of the buyers who got their bot for test began to scam people advertising it as a new Amplebot banking trojan. The name was taken from the BlackRock’s admin panel, which was built using AmpleAdmin template, and the actors didn’t change the logo and the name.
To summarize the story full of twists: a new banking malware appeared on the threat landscape called ERMAC. But is it really new?
You can’t escape Cerberus
If we investigate ERMAC, we can find out that ERMAC is a code-wise inheritor of a well-known malware Cerberus. It uses almost identical data structures when communicating with the C2, it uses the same string data, et cetera.
When we first encountered ERMAC samples, we thought it to be just another variant of Cerberus since the code was leaked several times and a lot of actors try to build their own malware based on its sources. However, the admin panel login page clearly states that this is ERMAC indeed:
Despite the usage of different obfuscation techniques and new method of string encryption – using Blowfish encryption algorithm, we can definitely state that ERMAC is another Cerberus-based trojan.
Compared to the original Cerberus, ERMAC uses different encryption scheme in communication with the C2: the data is encrypted with AES-128-CBC, and prepended with double word containing the length of the encoded data:
Another point to support the connection between BlackRock actor(s) and ERMAC actor(s): both BlackRock and ERMAC are known to use 185.215.113.* IP addresses as their C2.
Commands list
The commands ERMAC receives and processes, are almost identical to the latest Cerberus commands. A couple of commands are added that can clear the cache of the specified application and steal device accounts (new commands bold).
Command | Description |
---|---|
push | Shows a push notification (clicking on the notification will result in launching specified app) |
startAuthenticator2 | Launches the Google Authenticator application |
startAdmin | Triggers request for admin privileges |
startApp | Starts the specified application |
getInstallApps | Gets the list of applications installed on the device |
getContacts | Gets the contact names and phone numbers from the address book of the infected device |
deleteApplication | Triggers the removal of the specified application |
forwardCall | Enables call forwarding to the specified number |
sendSms | Sends a text message with specified text from the infected device to the specified phone number |
SendSMSALL | Sends text messages with specified text from the infected device to all contacts of the infected device |
startInject | Triggers the overlay attack against the specified application |
startUssd | Executes the specified USSD code |
openUrl | Opens the specified URL in the WebView |
getSMS | Gets all text messages from the infected device |
killMe | Triggers the kill switch for the bot |
updateModule | Updates the payload module |
updateInjectAndListApps | Triggers update of the target list |
clearCash/clearCashe | Triggers opening specified application details |
getAccounts/logAccounts | Triggers stealing a list of the accounts on the device |
Campaigns
We were able to identify several campaigns with ERMAC involved. The first major campaign started in late August where ERMAC was masquerading as Google Chrome. We have also seen ERMAC masquerading as antivirus, banking, and media player apps.
At the time of writing this blog we see ERMAC targeting Poland and being distributed under the guise of delivery service and government applications (special thanks to @malwrhunterteam):
Conclusion
The story of ERMAC shows one more time how malware source code leaks can lead not only to slow evaporation of the malware family but also bring new threats/actors to the threat landscape. Being built on Cerberus basement, ERMAC introduces couple of new features. Although it lacks some powerful features like RAT, it remains a threat for mobile banking users and financial institutions all over the world.
How we help our customers
ThreatFabric makes it easier than it has ever been to run a secure mobile payments business. With the most advanced threat intelligence for mobile banking, financial institutions can build a risk-based mobile security strategy and use this unique knowledge to detect fraud-by-malware on the mobile devices of customers in real-time.
Together with our customers and partners, we are building an easy-to-access information system to tackle the ever growing threat of mobile malware targeting the financial sector. We especially like to thank the Cyber Defence Alliance (CDA) for collaborating and proactively sharing knowledge and information across the financial sector to fight cyber-threats.
ThreatFabric has partnerships with TIPs all over the world.
If you want to request a free trial of our MTI-feed, or want to test our own MTI portal for 30 days, feel free to contact us at: sales@threatfabric.com
If you want more information on how we detect mobile malware on mobile devices, you can directly contact us at: info@threatfabric.com
Appendix
ERMAC Samples
App name | Package name | SHA-256 |
---|---|---|
mObywatel | com.tafupqzpqgmn.tmnhkq | 495a0621b2afc6adefbf17dc6c3cf5e92ba8227ac6939a20439b1b9dde878617 |
Google Chrome | com.hxfumpfgokky.bufvpk | 2de0f59fd03512e5527c8b8b19595483564ae54cd4904457c4f5bf127949019d |
DPD Mobile | com.mhyjbezusdvpxu.jukviuhn | 1032b42c859c747bcc159b75366c3325869d3722f5673d13a7b06633245ebf32 |
BoxDeals | com.czxvfknrqnqv.huslcn | 65619e3afe53268f5cbe5eae6a429f23e712c4412eda8c70dcfd3ebb25382894 |
C2 URL
URL |
---|
hxxp://185.215.113.42:3000/gate.php |
hxxp://185.215.113.94:3000/gate.php |
hxxp://185.215.113.81:3000/gate.php |
hxxp://178.132.6.150:3000/gate.php |
Targets
The list of the targeted applications.
PackageName | AppName |
---|---|
alior.bankingapp.android | Usługi Bankowe |
app.wizink.es | WiZink, tu banco senZillo |
ar.com.santander.rio.mbanking | Santander Argentina |
at.spardat.bcrmobile | Touch 24 Banking BCR |
at.volksbank.volksbankmobile | Volksbank hausbanking |
au.com.amp.myportfolio.android | My AMP |
au.com.bankwest.mobile | Bankwest |
au.com.commbank.commbiz.prod | CommBiz |
au.com.cua.mb | CUA Mobile Banking |
au.com.hsbc.hsbcaustralia | HSBC Australia |
au.com.ingdirect.android | ING Australia Banking |
au.com.macquarie.authenticator | Macquarie Authenticator |
au.com.macquarie.banking | Macquarie Mobile Banking |
au.com.mebank.banking | ME Bank |
au.com.nab.mobile | NAB Mobile Banking |
au.com.newcastlepermanent | NPBS Mobile Banking |
au.com.rams.RAMS | myRAMS |
au.com.suncorp.SuncorpBank | Suncorp Bank |
au.com.ubank.internetbanking | UBank Mobile Banking |
ca.mobile.explorer | CA Mobile |
ca.tangerine.clients.banking.app | Tangerine Mobile Banking |
cc.bitbank.bitbank | bitbank – Bitcoin & Ripple Wallet |
cgd.pt.caixadirectaparticulares | Caixadirecta |
ch.autoscout24.autoscout24 | AutoScout24 Switzerland – Find your new car |
cl.bancochile.mbanking | Mi Banco de Chile |
clientapp.swiftcom.org | ePayments: wallet & bank card |
co.edgesecure.app | Edge – Bitcoin, Ethereum, Monero, Ripple Wallet |
co.zip | Zip – Shop Now, Pay Later |
com.BOQSecure | BOQ Secure |
com.CIMB.OctoPH | CIMB Bank PH |
com.CredemMobile | Credem |
com.EurobankEFG | Eurobank Mobile App |
com.IngDirectAndroid | ING France |
com.Plus500 | Plus500: CFD Online Trading on Forex and Stocks |
com.Version1 | PNB ONE |
com.aadhk.woinvoice | Invoice Maker: Estimate & Invoice App |
com.abanca.bancaempresas | ABANCA Empresas |
com.abanca.bm.pt | ABANCA – Portugal |
com.abnamro.nl.mobile.payments | ABN AMRO Mobiel Bankieren |
com.advantage.RaiffeisenBank | Raiffeisen Smart Mobile |
com.aff.otpdirekt | OTP SmartBank |
com.airbitz | Bitcoin Wallet – Airbitz |
com.akbank.android.apps.akbank_direkt | Akbank |
com.albarakaapp | Albaraka Mobile Banking |
com.alrajhiretailapp | Al Rajhi Mobile |
com.amazon.mShop.android.shopping | Amazon Shopping – Search, Find, Ship, and Save |
com.amazon.sellermobile.android | Amazon Seller |
com.ambank.ambankonline | AmOnline |
com.americanexpress.android.acctsvcs.us | Amex |
com.android.vending | Google Play |
com.anz.android.gomoney | ANZ Australia |
com.anz.transactive.global | ANZ Transactive – Global |
com.aol.mobile.aolapp | AOL – News, Mail & Video |
com.appfactory.tmb | Teachers Mutual Bank |
com.arkea.android.application.cmb | Crédit Mutuel de Bretagne |
com.arkea.android.application.cmso2 | CMSO ma banque : solde, virement & épargne |
com.att.myWireless | myAT&T |
com.azimo.sendmoney | Azimo Money Transfer |
com.bancodebogota.bancamovil | Banco de Bogotá |
com.bancomer.mbanking | BBVA México (Bancomer Móvil) |
com.bankaustria.android.olb | Bank Austria MobileBanking |
com.bankinter.empresas | Bankinter Empresas |
com.bankinter.launcher | Bankinter Móvil |
com.bankofqueensland.boq | BOQ Mobile |
com.barclaycardus | Barclays US |
com.barclays.android.barclaysmobilebanking | Barclays |
com.barclays.ke.mobile.android.ui | Barclays Kenya |
com.bbva.bbvacontigo | BBVA Spain |
com.bbva.mobile.pt | BBVA Portugal |
com.bbva.netcash | BBVA Net Cash | ES & PT |
com.bbva.nxt_peru | BBVA Perú |
com.bcp.bank.bcp | Banca Móvil BCP |
com.bendigobank.mobile | Bendigo Bank |
com.binance.dev | Binance – Buy & Sell Bitcoin Securely |
com.bitfinex.mobileapp | Bitfinex |
com.bitmarket.trader | Aplikacja Bitmarket |
com.bitpay.wallet | BitPay – Secure Bitcoin Wallet |
com.bmo.mobile | BMO Mobile Banking |
com.bmoharris.digital | BMO Digital Banking |
com.bochk.com | BOCHK |
com.botw.mobilebanking | Bank of the West Mobile |
com.boursorama.android.clients | Boursorama Banque |
com.btcturk | BtcTurk Bitcoin Borsası |
com.caisse.epargne.android.tablette | Banque pour tablettes Android |
com.caisseepargne.android.mobilebanking | Banque |
com.cajasiete.android.cajasietereport | Report |
com.cajasur.android | Cajasur |
com.chase.sig.android | Chase Mobile |
com.cibc.android.mobi | CIBC Mobile Banking® |
com.cic_prod.bad | CIC |
com.cimbmalaysia | CIMB Clicks Malaysia |
com.citibank.CitibankMY | Citibank MY |
com.citizensbank.androidapp | Citizens Bank Mobile Banking |
com.clairmail.fth | Fifth Third Mobile Banking |
com.cm_prod.bad | Crédit Mutuel |
com.coinbase.android | Coinbase – Buy & Sell Bitcoin. Crypto Wallet |
com.comarch.mobile.banking.bgzbnpparibas.biznes | Mobile BiznesPl@net |
com.comarch.security.mobilebanking | ING Business |
com.commbank.netbank | CommBank |
com.connectivityapps.hotmail | Connect for Hotmail & Outlook: Mail and Calendar |
com.cooperativebank.bank | The Co-operative Bank |
com.csam.icici.bank.imobile | iMobile by ICICI Bank |
com.db.mm.norisbank | norisbank App |
com.db.pbc.DBPay | DB Pay |
com.db.pbc.miabanca | La Mia Banca |
com.db.pbc.mibanco | Mi Banco db |
com.db.pwcc.dbmobile | Deutsche Bank Mobile |
com.denizbank.mobildeniz | MobilDeniz |
com.desjardins.mobile | Desjardins mobile services |
com.dhanlaxmi.dhansmart.mtc | Dhanlaxmi Bank Mobile Banking |
com.discoverfinancial.mobile | Discover Mobile |
com.ebay.mobile | eBay: Buy, sell, and save money on home essentials |
com.empik.empikapp | Empik |
com.empik.empikfoto | Empik Foto |
com.engage.pbb.pbengage2my.release | PB engage MY |
com.eofinance | EO.Finance: Buy and Sell Bitcoin. Crypto Wallet |
com.exictos.mbanka.bic | Banco BIC, SA |
com.exmo | EXMO Official – Trading crypto on the exchange |
com.facebook.katana | |
com.fi7026.godough | Commercial Bank Mobile Banking |
com.fibabanka.Fibabanka.mobile | Fibabanka Mobile |
com.fibabanka.mobile | Fibabanka Corporate Mobile |
com.finansbank.mobile.cepsube | QNB Finansbank Mobile Banking |
com.finanteq.finance.bgz | BNP Paribas GOMobile |
com.finanteq.finance.ca | CA24 Mobile |
com.fortuneo.android | Fortuneo, mes comptes banque & bourse en ligne |
com.fullsix.android.labanquepostale.accountaccess | La Banque Postale |
com.fusion.ATMLocator | People’s Choice Credit Union |
com.fusion.banking | Bank Australia app |
com.fusion.beyondbank | Beyond Bank Australia |
com.garanti.cepsubesi | Garanti BBVA Mobile |
com.getingroup.mobilebanking | Getin Mobile |
com.gmowallet.mobilewallet | ビットコイン・暗号資産(仮想通貨)ウォレットアプリ GMOコイン\|チャート・購入・レバレッジ取引 |
com.google.android.gm | Gmail |
com.greater.Greater | Greater Bank |
com.grppl.android.shell.BOS | Bank of Scotland Mobile Banking: secure on the go |
com.grppl.android.shell.CMBlloydsTSB73 | Lloyds Bank Mobile Banking: by your side |
com.grppl.android.shell.halifax | Halifax: the banking app that gives you extra |
com.grupoavaloc1.bancamovil | Banco de Occidente Móvil |
com.grupocajamar.wefferent | Grupo Cajamar |
com.hsbc.hsbcnet | HSBCnet Mobile |
com.htsu.hsbcpersonalbanking | HSBC Mobile Banking |
com.ideomobile.hapoalim | בנק הפועלים – ניהול החשבון |
com.imaginbank.app | imaginBank – Your mobile bank |
com.imo.android.imoim | imo free video calls and chat |
com.imo.android.imoimbeta | imo beta free calls and text |
com.imo.android.imoimhd | imo HD-Free Video Calls and Chats |
com.indra.itecban.mobile.novobanco | NBapp Spain |
com.indra.itecban.triodosbank.mobile.banking | Triodos Bank. Banca Móvil |
com.infonow.bofa | Bank of America Mobile Banking |
com.infrasofttech.CentralBank | Cent Mobile |
com.infrasofttech.MahaBank | Maha Mobile |
com.ingbanktr.ingmobil | ING Mobil |
com.instagram.android | |
com.isis_papyrus.raiffeisen_pay_eyewdg | Raiffeisen ELBA |
com.itau.empresas | Itaú Empresas: Controle e Gestão do seu Negócio |
com.kasikorn.retail.mbanking.wap | K PLUS |
com.key.android | KeyBank Mobile |
com.konylabs.HongLeongConnect | Hong Leong Connect Mobile Banking |
com.konylabs.capitalone | Capital One® Mobile |
com.konylabs.cbplpat | Citi Handlowy |
com.kraken.trade | Pro: Advanced Bitcoin & Crypto Trading |
com.krungsri.kma | KMA |
com.kutxabank.android | Kutxabank |
com.kuveytturk.mobil | Kuveyt Türk |
com.latuabancaperandroid | Intesa Sanpaolo Mobile |
com.leumi.leumiwallet | לאומי |
com.lynxspa.bancopopolare | YouApp |
com.magiclick.odeabank | Odeabank |
com.mail.mobile.android.mail | mail.com mail |
com.mcom.firstcitizens | First Citizens Mobile Banking |
com.mercadolibre | Mercado Libre: compra fácil y rápido |
com.mercadopago.wallet | Mercado Pago |
com.mfoundry.mb.android.mb_136 | People’s United Bank Mobile |
com.microsoft.office.outlook | Microsoft Outlook: Organize Your Email & Calendar |
com.mobikwik_new | BHIM UPI, Money Transfer, Recharge & Bill Payment |
com.mobileloft.alpha.droid | myAlpha Mobile |
com.mobillium.papara | Papara |
com.moneybookers.skrillpayments | Skrill – Fast, secure online payments |
com.moneybookers.skrillpayments.neteller | NETELLER – fast, secure and global money transfers |
com.msf.kbank.mobile | Kotak – 811 & Mobile Banking |
com.mtel.androidbea | BEA 東亞銀行 |
com.mycelium.wallet | Mycelium Bitcoin Wallet |
com.navyfederal.android | Navy Federal Credit Union |
com.nearform.ptsb | permanent tsb |
com.netflix.mediaclient | Netflix |
com.ocito.cdn.activity.creditdunord | Crédit du Nord pour Mobile |
com.oxigen.oxigenwallet | Bill Payment & Recharge,Wallet |
com.paribu.app | Paribu |
com.paxful.wallet | Paxful Bitcoin Wallet |
com.payeer | PAYEER |
com.payoneer.android | Payoneer – Global Payments Platform for Businesses |
com.paypal.android.p2pmobile | PayPal Mobile Cash: Send and Request Money Fast |
com.pcfinancial.mobile | Simplii Financial |
com.pnc.ecommerce.mobile | PNC Mobile |
com.polehin.android | Bitcoin Wallet – Buy BTC |
com.pozitron.iscep | İşCep – Mobile Banking |
com.pttfinans | PTTBank |
com.quoine.quoinex.light | Liquid by Quoineライト版(リキッドバイコイン) -ビットコインなどの仮想通貨取引所 |
com.rbc.mobile.android | RBC Mobile |
com.rbs.mobile.android.natwest | NatWest Mobile Banking |
com.rbs.mobile.android.rbs | Royal Bank of Scotland Mobile Banking |
com.rsi | ruralvía |
com.samba.mb | SambaMobile |
com.santander.bpi | Santander Private Banking |
com.sbi.SBAnywhereCorporate | SBI Anywhere Corporate |
com.sbi.SBIFreedomPlus | Yono Lite SBI – Mobile Banking |
com.scb.phone | SCB EASY |
com.scotiabank.banking | Scotiabank Mobile Banking |
com.snapchat.android | Snapchat |
com.snapwork.IDBI | IDBI Bank GO Mobile+ |
com.snapwork.hdfc | HDFC Bank MobileBanking |
com.squareup.cash | Cash App |
com.starfinanz.smob.android.sfinanzstatus | Sparkasse Ihre mobile Filiale |
com.suntrust.mobilebanking | SunTrust Mobile App |
com.targo_prod.bad | TARGOBANK Mobile Banking |
com.tarjetanaranja.emisor.serviciosClientes.appTitulares | Naranja |
com.td | TD Canada |
com.tdbank | TD Bank (US) |
com.teb | CEPTETEB |
com.tecnocom.cajalaboral | Banca Móvil Laboral Kutxa |
com.tencent.mm | |
com.tideplatform.banking | Tide – Smart Mobile Banking |
com.tmobtech.halkbank | Halkbank Mobil |
com.todo1.davivienda.mobileapp | Davivienda Móvil |
com.todo1.mobile | Bancolombia App Personas |
com.transferwise.android | TransferWise Money Transfer |
com.twitter.android | |
com.twitter.android.lite | Twitter Lite |
com.ubercab | Uber – Request a ride |
com.ubercab.eats | Uber Eats: Food Delivery |
com.unicredit | Mobile Banking UniCredit |
com.unionbank.ecommerce.mobile.android | Union Bank Mobile Banking |
com.unocoin.unocoinwallet | Unocoin Wallet |
com.usaa.mobile.android.usaa | USAA Mobile |
com.usbank.mobilebanking | U.S. Bank – Inspired by customers |
com.uy.itau.appitauuypf | Itaú Uruguay |
com.vakifbank.mobile | VakıfBank Mobil Bankacılık |
com.vancity.mobileapp | Vancity |
com.viber.voip | Viber Messenger – Messages, Group Chats & Calls |
com.westernunion.moneytransferr3app.es | Western Union ES – Send Money Transfers Quickly |
com.wf.wellsfargomobile | Wells Fargo Mobile |
com.whatsapp | WhatsApp Messenger |
com.whatsapp.w4b | WhatsApp Business |
com.woodforest | Woodforest Mobile Banking |
com.wrx.wazirx | WazirX – Buy Sell Bitcoin & Other Cryptocurrencies |
com.yahoo.mobile.client.android.mail | Yahoo Mail – Organized Email |
com.ykb.android | Yapı Kredi Mobile |
com.zellepay.zelle | Zelle |
com.ziraat.ziraatmobil | Ziraat Mobile |
com.zoluxiones.officebanking | Banco Santander Perú S.A. |
cz.csob.smartbanking | ČSOB Smartbanking |
de.adesso_mobile.secureapp.netbank | SecureApp netbank |
de.comdirect.android | comdirect mobile App |
de.commerzbanking.mobil | Commerzbank Banking – The app at your side |
de.consorsbank | Consorsbank |
de.dkb.portalapp | DKB-Banking |
de.fiducia.smartphone.android.banking.vr | VR Banking Classic |
de.ingdiba.bankingapp | ING Banking to go |
de.mobile.android.app | mobile.de – Germany‘s largest car market |
de.number26.android | N26 — The Mobile Bank |
de.postbank.finanzassistent | Postbank Finanzassistent |
de.santander.presentation | Santander Banking |
de.traktorpool | tractorpool |
enterprise.com.anz.shield | ANZ Shield |
es.bancosantander.apps | Santander |
es.bancosantander.empresas | Santander Empresas |
es.caixagalicia.activamovil | ABANCA- Banca Móvil |
es.caixageral.caixageralapp | Banco Caixa Geral España |
es.ceca.cajalnet | Cajalnet |
es.cm.android | Bankia |
es.evobanco.bancamovil | EVO Banco móvil |
es.ibercaja.ibercajaapp | Ibercaja |
es.lacaixa.mobile.android.newwapicon | CaixaBank |
es.liberbank.cajasturapp | Banca Digital Liberbank |
es.openbank.mobile | Openbank – banca móvil |
es.pibank.customers | Pibank |
es.univia.unicajamovil | UnicajaMovil |
eu.atlantico.bancoatlanticoapp | MY ATLANTICO |
eu.eleader.mobilebanking.invest | plusbank24 |
eu.eleader.mobilebanking.pekao | Pekao24Makler |
eu.eleader.mobilebanking.pekao.firm | PekaoBiznes24 |
eu.inmite.prj.kb.mobilbank | Mobilni Banka |
eu.netinfo.colpatria.system | Scotiabank Colpatria |
eu.unicreditgroup.hvbapptan | HVB Mobile Banking |
finansbank.enpara | Enpara.com Cep Şubesi |
fr.banquepopulaire.cyberplus | Banque Populaire |
fr.creditagricole.androidapp | Ma Banque |
fr.laposte.lapostemobile | La Poste – Services Postaux |
fr.lcl.android.customerarea | Mes Comptes – LCL |
fr.oney.mobile.mescomptes | Oney France |
gr.winbank.mobilenext | Winbank Mobile |
gt.com.bi.bienlinea | Bi en Línea |
hr.asseco.android.mtoken.bos | iBOSStoken |
hu.bb.mobilapp | Budapest Bank Mobil App |
hu.cardinal.cib.mobilapp | CIB Business Online |
hu.cardinal.erste.mobilapp | Erste Business MobilBank |
hu.mkb.mobilapp | MKB Mobilalkalmazás |
id.co.bitcoin | Indodax |
io.cex.app.prod | CEX.IO Cryptocurrency Exchange |
io.ethos.universalwallet | Ethos Universal Wallet |
it.bnl.apps.banking | BNL |
it.carige | Carige Mobile |
it.copergmps.rt.pf.android.sp.bmps | Banca MPS |
it.ingdirect.app | ING Italia |
it.nogood.container | UBI Banca |
it.popso.SCRIGNOapp | SCRIGNOapp |
jp.co.netbk | 住信SBIネット銀行 |
jp.co.rakuten_bank.rakutenbank | 楽天銀行 -個人のお客様向けアプリ |
jp.coincheck.android | Bitcoin Wallet Coincheck |
ktbcs.netbank | Krungthai NEXT |
ma.gbp.pocketbank | Pocket Bank |
mbanking.NBG | NBG Mobile Banking |
me.cryptopay.android | C.PAY |
mobi.societegenerale.mobile.lappli | L’Appli Société Générale |
mx.bancosantander.supermovil | Santander móvil |
my.com.hsbc.hsbcmalaysia | HSBC Malaysia |
my.com.maybank2u.m2umobile | Maybank2u MY |
net.bnpparibas.mescomptes | Mes Comptes BNP Paribas |
net.garagecoders.e_llavescotiainfo | ScotiaMóvil |
net.inverline.bancosabadell.officelocator.android | Banco Sabadell App. Your mobile bank |
nz.co.asb.asbmobile | ASB Mobile Banking |
org.banking.bom.businessconnect | Bank of Melbourne Business App |
org.banking.bsa.businessconnect | BankSA Business App |
org.banking.stg.businessconnect | St.George Business App |
org.banksa.bank | BankSA Mobile Banking |
org.bom.bank | Bank of Melbourne Mobile Banking |
org.microemu.android.model.common.VTUserApplicationLINKMB | Link Celular |
org.stgeorge.bank | St.George Mobile Banking |
org.telegram.messenger | Telegram |
org.toshi | Coinbase Wallet — Crypto Wallet & DApp Browser |
org.westpac.bank | Westpac Mobile Banking |
org.westpac.col | Westpac Corporate Mobile |
pe.com.interbank.mobilebanking | Interbank APP |
pegasus.project.ebh.mobile.android.bundle.mobilebank | George Magyarország |
piuk.blockchain.android | Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum |
pl.aliorbank.aib | Alior Mobile |
pl.allegro | Allegro – convenient and secure online shopping |
pl.bph | BusinessPro Lite |
pl.bps.bankowoscmobilna | BPS Mobilnie |
pl.bzwbk.bzwbk24 | Santander mobile |
pl.bzwbk.ibiznes24 | iBiznes24 mobile |
pl.ceneo | Ceneo – zakupy i promocje |
pl.com.rossmann.centauros | Rossmann PL |
pl.envelobank.aplikacja | EnveloBank |
pl.eurobank2 | eurobank mobile 2.0 |
pl.fakturownia | Fakturownia.pl |
pl.ideabank.mobilebanking | Idea Bank PL |
pl.ifirma.ifirmafaktury | IFIRMA – Darmowy Program do Faktur |
pl.ing.mojeing | Moje ING mobile |
pl.mbank | mBank PL |
pl.millennium.corpApp | Bank Millennium for Companies |
pl.nestbank.nestbank | Nest Bank nowy |
pl.noblebank.mobile | Noble Mobile |
pl.orange.mojeorange | Mój Orange |
pl.pkobp.iko | IKO |
pl.pkobp.ipkobiznes | iPKO biznes |
pl.raiffeisen.nfc | Mobilny Portfel |
posteitaliane.posteapp.apppostepay | Postepay |
pt.bancobpi.mobile.fiabilizacao | BPI APP |
pt.novobanco.nbapp | NB smart app |
pt.santandertotta.mobileparticulares | Santander Particulares |
ro.btrl.mobile | Banca Transilvania |
softax.pekao.powerpay | PeoPay |
tr.com.hsbc.hsbcturkey | HSBC Turkey |
tr.com.sekerbilisim.mbank | ŞEKER MOBİL ŞUBE |
tsb.mobilebanking | TSB Bank Mobile Banking |
uk.co.hsbc.hsbcukmobilebanking | HSBC UK Mobile Banking |
uk.co.mbna.cardservices.android | MBNA – Card Services App |
uk.co.metrobankonline.mobile.android.production | Metro Bank |
uk.co.santander.santanderUK | Santander Mobile Banking |
uk.co.tescomobile.android | Tesco Mobile |
uk.co.tsb.newmobilebank | TSB Mobile Banking |
uy.brou | App Móvil del Banco República |
uy.com.brou.token | BROU Llave Digital |
wit.android.bcpBankingApp.millennium | Millenniumbcp |
wit.android.bcpBankingApp.millenniumPL | Bank Millennium |
www.ingdirect.nativeframe | ING España. Banca Móvil |
To read the original article:
https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html