ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure
Aug 16, 2025
Android / Malware
Cybersecurity researchers have detailed the inner workings of an Android banking trojan called ERMAC 3.0, uncovering serious shortcomings in the operators' infrastructure. "The newly uncovered version 3.0 reveals a significant evolution of the malware, expanding its form injection and data theft capabilities to target more than 700 banking, shopping, and cryptocurrency applications," Hunt.io said in a report. ERMAC was first documented by ThreatFabric in September 2021, detailing its ability to conduct overlay attacks against hundreds of banking and cryptocurrency apps across the world. Attributed to a threat actor named DukeEugene, it's assessed to be an evolution of Cerberus and BlackRock. Other commonly observed malware families – including Hook (ERMAC 2.0), Pegasus, and Loot – possess a shared lineage: An ancestor in the form of ERMAC from which source code components have been passed down and modified through generations. Hunt.io said it managed to obt...
