The source code for ERMAC v3.0, an Android banking trojan, has been leaked online—revealing the inner workings of its malware-as-a-service (MaaS) operation and exposing key parts of its infrastructure.

Researchers from Hunt.io discovered the leak in March 2024 while scanning for exposed resources. They found an archive named Ermac 3.0.zip in an open directory, which contained the malware’s full code base, including its backend and frontend (panel), exfiltration server, deployment configs, and builder/obfuscator tools.

Figure 1. ERMAC Android Malware.

Analysis showed that ERMAC v3.0 greatly expanded its reach compared to earlier versions, now targeting over 700 apps across banking, shopping, and cryptocurrency categories [1]. By contrast, ERMAC v2.0—spotted in 2022 and rented for $5,000/month—targeted 467 apps, up from 378 in the initial release documented in 2021. The malware is linked to the BlackRock threat actor, also tied to the earlier Cerberus trojan and later an offshoot named Hook. Figure 1 shows ERMAC Android Malware.

Expanded Capabilities

The leaked code revealed ERMAC v3.0’s architecture, which includes:

• PHP-based C2 backend and React operator panel
• Go-based exfiltration server
• Kotlin backdoor for Android devices
• Builder tools to generate trojanized APKs

Its new capabilities include:

• Stealing SMS, contacts, Gmail subjects/messages, and account details
• File access (listing, downloading)
• Sending SMS and enabling call forwarding
• Remote photo capture via the front camera
• Full app control (launch, uninstall, cache clearing)
• Fake push notifications for deception
• Remote uninstall (“killme”) for evasion

The malware also employs AES-CBC encryption for C2 communications and introduces enhanced form-injection attacks, alongside an upgraded operator interface for better control.

Infrastructure Exposure & OpSec Failures

Beyond the source leak, Hunt.io identified several live C2 servers, exfiltration endpoints, and builder panels tied to the operation. The actors left multiple operational security gaps, including hardcoded JWT tokens, default root credentials, and unprotected admin panels—allowing outsiders to access and potentially disrupt ERMAC systems.

Fingerprinting clues, such as panel names and package identifiers, made attribution and infrastructure mapping significantly easier.

Impact of the Leak

The exposure undermines ERMAC’s reputation as a MaaS product, reducing trust among criminal customers and increasing the likelihood of detection by security solutions. However, with the code now public, researchers warn that other threat actors could repurpose it—potentially spawning new ERMAC variants that are harder to detect and defend against.

Reference:

1. https://www.bleepingcomputer.com/news/security/ermac-android-malware-source-code-leak-exposes-banking-trojan-infrastructure/

Cite this article:

Keerthana S (2025), ERMAC Android Malware Source Code Leak Reveals Banking Trojan Framework, AnaTechMaz, pp.209