Figure 2 – Google Play Store Phishing Website The image below shows how the TA mimics the Google Play Store page, which downloads a malicious Android APK, masquerading as a Google wallet when the user clicks on the “Install” button. Figure 1 – Whois Information of IP Address The below image shows the Whois information of the IP address 103109.101137 hosting these phishing websites. The campaign uses phishing websites that download fake applications that impersonate Google Wallet, PayPal, and Snapchat and trick the users into downloading and installing the malicious ERMAC APK on their Android devices.Īs part of the phishing campaign, the TA has registered specific typosquatted domains of popular Android application hosting platforms such as Google PlayStore, APKPure, APKCombo, etc. The latest version of ERMAC 2.0 targets 467 applications and Threat Actor was renting it out for $5K/month on a cybercrime forum. While investigating the samples, we identified these as ERMAC Banking Trojans.ĮRMAC is an Android Banking Trojan that was first discovered in late August 2021, when it was found targeting Poland. Android Users targeted through multiple Phishing themesĬyble Research & Intelligence Labs (CRIL) recently identified a mass phishing campaign that delivers malicious Android executables.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |