The source code for ERMAC, an Android banking trojan, version 3, has been leaked online, exposing the malware-as-a-service platform and the operator’s operational infrastructure. The discovery was made by Hunt.io researchers who found an archive labeled Ermac 3.0.zip containing the backend, frontend (panel), exfiltration server, deployment configurations, and the trojan’s builder and obfuscator.
Hunt.io researchers said the leak shows ERMAC v3.0 expanding its targeting to more than 700 apps, including banking, shopping, and cryptocurrency apps. The findings build on ThreatFabric’s prior documentation of EMAC as an evolution of the Cerberus banking trojan operated by a threat actor known as BlackRock.
ERMAC v3.0’s capabilities are documented as including the following, with the malware’s components spanning a PHP command-and-control (C2) backend, a React-based front-end panel, a Go-based exfiltration server, a Kotlin backdoor, and a builder panel used to generate customized trojanized APKs. In total, the new release targets sensitive user information in more than 700 apps.
- Theft of SMS, contacts, and registered accounts
- Extraction of Gmail subjects and messages
- File access via ‘list’ and ‘download’ commands
- SMS sending and call forwarding for communications abuse
- Photo capturing via the front camera
- Full app management (launch, uninstall, clear cache)
- Displaying fake push notifications for deception
- Remote uninstalls (killme) for evasion
Analysts from Hunt.io noted that they identified live, exposed infrastructure components used by the threat actors, including C2 endpoints, control panels, exfiltration servers, and builder deployments. In addition to revealing the code, the leak exposed major opsec failures such as hardcoded JWT tokens, default root credentials, and no registration protections on the admin panel, which could allow unauthorized access or disruption of ERMAC’s panels.
The leak is seen as a setback for the operators, potentially eroding customer trust in the malware-as-a-service model and mooting some of the perceived advantages of low detection risk. Security researchers cautioned that, if the source code falls into the hands of additional threat actors, new variants could emerge that are even harder to detect, underscoring the ongoing need for vigilant threat detection and device security.