Researchers at Cyble Research & Intelligence Labs (CRIL) found the ERMAC Android banking trojan being used for phishing attacks. Users looking to download apps like PayPal and Snapchat were led to a duplicate website with a malicious ERMAC APK.
How was the phishing campaign created?
Cybercriminals created fake versions of well-known Android application hosting platforms like Google PlayStore, APKCombo, APKPure, etc. They registered typosquatting domains which means officially registering websites with slightly different spelling. In this case, websites with misspelled names or typos of Google Playstore or APKPure were shown in legitimate online searches made by users.
When users typed the wrongly spelt names of websites on their browsers, they were directed to the malicious websites to download the desired apps that were also infected. Some of the misspelled names were Google Payce, Tlk tok, PaltPal etc. These fake versions, injected with malicious ERMAC APK, impacted windows and Android users.
What CRIL senior manager say about the phishing attack?
Varadharajan Krishnasamy, Senior manager at CRIL, spoke to The Cyber Express, sharing insights into the mass phishing campaign they discovered and their analysis. “Typosquatting attack is a well-known social engineering attack, in which the threat actors create domains that mimic legitimate websites which trick the users into sharing sensitive information or downloading other malware families. In this campaign, the threat actor created over 200 typosquatting domains targeting 27 brands to download android and windows malware families.”
To avoid being cheated, Krishnasamy said, “Users should verify the site name to ensure they are not misspelled before downloading anything or sharing information on the website.” Published on October 18, 2022, the report noted that the latest version of ERMAC 2.0 was available for rent on criminal forums for $5000 per month.
ERMAC was discovered earlier this August and was found to be targeting users in Poland. As per reports, it has the capability to hijack personal accounts and steal money and information, among others.