Tag Archives: Android

If you’re deeply involved in IT security, you may already be familiar with the ERMAC Android banking trojan.

If this is the first time you’re hearing of it, be aware that the hackers who authored the malicious code have recently released ERMAC 2.0, which represents a significant upgrade in capabilities from the previous iteration.

ERMAC’s main purpose is to steal and send login credentials to the person controlling the code.  That person then uses the stolen passwords to take control of a target’s bank accounts and/or cryptocurrency wallets and conduct fraud. Or in some cases, simple theft.

Access to ERMAC is subscription based on the Dark Web.  The 1.0 version of the malware could be yours for $3k USD per month.  This latest iteration is subscription priced at $5k USD per month.  Pricey, yes, but those who use it swear by it and are happy to pay.

ERMAC 2.0 was first spotted during a fake Bolt Food application that targeted the Polish market.  Bolt Food is a quite legitimate European food delivery service.  In this case, the hackers created a fake site that looked convincingly like the real thing and tricked users into downloading what they thought was a food delivery app.

Naturally, it was nothing of the sort, and instead of convenient food service, what the victims got was ERMAC 2.0 and a whole slew of headaches after that.

Although the Bolt Food app was the first, it is by no means the only app that the malicious code impersonates.  In fact, according to the latest research, ERMAC 2.0 is currently impersonating nearly five hundred popular Android apps.

In every case however, the campaigns that have been seen so far rely on a user agreeing to download an app from what they believe to be a legitimate third-party vendor site.  While it’s an undeniably dangerous strain of malware, it is easily avoided simply by sticking to apps on the Google Play Store.  Stay vigilant, it’s getting dangerous out there.

Do you have an Android device?  Is it built around a Qualcomm or MediaTek chipset?  If you answered yes to both of those questions, be aware that researchers at Check Point have recently discovered an issue which could put your device at risk.

The team discovered a flaw in the implementation of the ALAC (Apple Lossless Audio Codec) which was open-sourced back in 2011.  The flaw could allow remote code execution on your device and unfortunately, Qualcomm and MediaTek are two of the industry’s largest chip manufacturers.

The good news is that both Qualcomm and MediaTek acted quickly, and this issue has already been resolved.  The problem involved three separate flaws tracked as CVE-2021-0674 (medium severity with a 5.5 score), CVE-2021-0675 (high severity with a 7.8 score), and CVE-2021-30351 (critical severity with a 9.8 score).

While MediaTek did not release a formal statement about the matter, Qualcomm did.

It reads in part, as follows:

“Providing technologies that support robust security and privacy is a priority for Qualcomm Technologies. We commend the security researchers from Check Point Technologies for using industry-standard coordinated disclosure practices. Regarding the ALAC audio decoder issue they disclosed, Qualcomm Technologies made patches available to device makers in October 2021. We encourage end users to update their devices as security updates have become available.”

If you haven’t installed any security patches for your device since December of last year, grab the latest and install it at your earliest convenience and you’ll be all set.  Until then, be sure not to open any audio files from unknown sources which is good advice even after you’ve installed the patch.  One can never be too cautious.

Kudos to the sharp-eyed researchers at Check Point and to both Qualcomm and MediaTek for their fast action here.  That’s how it’s done.

If you own an Android device, odds are excellent that your go-to source for apps of any kind is the Google Play Store.  That includes antivirus apps to help keep your device safe.

Unfortunately, the hackers of the world are aware of that fact and are always on the lookout for ways to capitalize on that.

Recently, researchers at Check Point have made a disturbing discovery.  Six different apps on the Play Store were recently found to be poisoned variants containing the Sharkbot malware. Sharkbot is designed to steal usernames and passwords by displaying cleverly disguised overlay windows that appear over the login window you expect to see when you visit a given website.

Instead of entering your login credentials on the site you thought you were visiting, you instead inadvertently feed the credentials to the bot. The bot dutifully exfiltrates them to a command-and-control server so the hackers controlling the malicious code can abuse them at their leisure.

To add insult to injury, all six of the poisoned apps appeared to be perfectly legitimate antivirus apps. Even worse is those apps were downloaded by unsuspecting users more than fifteen thousand times before Google caught the issue and removed them from the Play store.

Alexander Chailytlko is the cyber security researcher who led the team that made the discovery. They have an intriguing theory about how the hackers were able to get their poisoned code past Google’s robust series of checks against exactly such things.

Per Chailytko, “We think that they were able to do it because all malicious actions were triggered from the C&C server, so the app could stay in the “OFF”-state during a test period in Google Play and turn “ON” when they get to the users’ devices.”

If that theory proves correct and there’s little reason to doubt it  Google is going to have a tough time keeping that sort of thing from happening in the future. That means the Play Store may not be quite the safe place most people expect.  That’s troubling indeed.