ERMAC Android Trojan Leaked: Source Code and C2 Infrastructure Exposed

The source code of version 3 of the ERMAC Android banking trojan has been leaked online, revealing the inner workings of this dangerous malware-as-a-service platform and exposing the infrastructure used by its operators.

The leak was discovered by Hunt.io researchers in March 2024, when they found a file named Ermac 3.0.zip in an open directory. The archive included everything: backend, control panel, exfiltration server, deployment configurations, and even the builder and obfuscator used to generate the malicious applications.

From Cerberus to ERMAC: A Dangerous Evolution

ERMAC was first documented in 2021 as an evolution of the Cerberus trojan, operated by a group known as BlackRock. With version 2.0, detected in 2022, cybercriminals rented it out for about $5,000 per month, and it was already capable of targeting nearly 500 apps.

Version 3.0 marked a major leap forward: according to Hunt.io, it expanded to over 700 banking, shopping, and cryptocurrency apps, increasing its power to steal sensitive information and take control of Android devices.

One of ERMAC's form injections (Source: Hunt.io)

What Can ERMAC 3.0 Do?

The leaked code allowed researchers to gain deeper insight into the threat’s capabilities. Some of the most dangerous functions include:

1. Stealing SMS messages, contacts, and saved accounts

1. Extracting Gmail data

1. Accessing and downloading files

1. Redirecting calls and sending SMS

1. Taking photos with the front camera

1. Managing apps (launch, uninstall, clear cache)

1. Displaying fake notifications to trick users

1. Remotely uninstalling itself to avoid detection

In practice, ERMAC becomes a full-fledged backdoor, capable of stealing data, controlling the device, and executing commands on demand.

Exposed ERMAC C2 servers (Source: Hunt.io)

Infrastructure Also Exposed

Beyond the code, analysts found exposed C2 servers, poorly secured admin panels, and even hardcoded default credentials and tokens within the code. These security oversights enabled researchers to map the full infrastructure used by the operators.

While this undermines ERMAC’s original operation—since criminal clients lose trust in the platform—it also opens the door for other threat actors to reuse the code and create modified, harder-to-detect variants.

Similar titles: Fake Telegram Apps Infect Android Devices Through Phishing Sites

What This Means for You and Your Business

At TecnetOne, we remind you that banking trojans like ERMAC are not a distant threat. With each new version, their ability to remain undetected improves, and simply installing a fake app from an unofficial store could compromise your entire device.

Here’s what you should do:

1. Keep your Android device updated and avoid installing apps from untrusted sources.

1. Always review app permissions—if a “bank protection” app requests access to your SMS, calls, or camera, that’s a red flag.

1. Monitor your infrastructure: leaks like this help security vendors strengthen defenses, but attackers learn from them too.

Accessing the ERMAC panel (Source: Hunt.io)

Conclusion

The ERMAC source code leak is a double-edged sword. On the one hand, it helps the cybersecurity community enhance its protections. On the other, it enables the creation of new, more sophisticated variants. Staying one step ahead requires adopting best practices and constant monitoring.