Android Users have Two Trojans to Worry About

This week has seen the announcement of two separate campaigns infecting Android users with some form trojan malware. The first incident involves the discovery of a new trojan, called GriftHorse, while the second trojan distribution campaign involves an offshoot of the infamous Cerberus banking trojan. This latest Cerberus-based trojan has been called ERMAC by researchers.

Researchers based at Zimperian labs discovered the campaign distributing GriftHorse and found that, according to their research, possibly 10,000,000 Android users may have been impacted by the trojan that would sign users onto premium SMS services costing 36 EUR a month.

android users have two new trojans to worry about

The total amount stolen is believed to be in the hundreds of millions, according to the published research. In the past other scams that signed victims up for premium services made use of phishing tactics. However, GiftHorse is a fully-featured trojan user downloaded from the Play store, believing the malware was just a trojan.

By relying on seemingly inoffensive apps that require the user to assent to certain permissions inspires a false sense of security. It is only possibly months down the line that victims discover they are being charged monthly with very little recourse to retrieve stolen funds.

According to researchers, it appears that the campaign to distribute GriftHorese may have begun as early as November 2020, with the malware developers using several tactics to prevent detection and analysis by security researchers. Researchers further noted,

“These malicious applications were initially distributed through both Google Play and third-party application stores. Zimperium zLabs reported the findings to Google, who verified the provided information and removed the malicious applications from the Google Play store. However, the malicious applications are still available on unsecured third-party app repositories, highlighting the risk of sideloading applications to mobile endpoints and user data and needing advanced on-device security.”

When a user is infected with GriftHorse they are suddenly bombarded with notifications on their mobile device informing them that they have won a prize. The use of the word “bombarded” is not done lightly as notifications appear five times per hour until the user accepts the offer.

Upon accepting the offer, they are redirected to geo-specific web pages where they are prompted to enter their details To win the prize the notifications keep reminding them that they had. Once they enter in personal details, like their mobile number, they are subscribed to premium mobile services, rather than receiving the prize they were led to believe.

It is the use of abusing the victim’s geolocation and the clever coding by the malware developers that help the campaign continue for nearly 10 months undiscovered. In the code, there were no hard-coded websites or other defining characteristics that would suggest the code was malicious.

Only on the click-through would the code determine the geo-location of the victim and then redirect to an appropriate website. Researchers further noted,

“These cybercriminals took great care not to get caught by malware researchers by avoiding hardcoding URLs or reusing the same domains and filtering / serving the malicious payload based on the originating IP address’s geolocation. This method allowed the attackers to target different countries in different ways. This check on the server-side evades dynamic analysis checking for network communication and behaviors.”

GriftHorse was developed using the Apache Cordova framework. When used by non-malicious developers the framework allows for apps to be created using HTML, CSS, and JavaScript rather than device-specific programming languages. The framework also allows developers to auto-update the app without user interaction.

This feature, when used appropriately, can increase the security of the app. GriftHorse’s developers use these features to execute code in real-time making detection by security researchers harder. Another method employed to evade detection was through the use of a no-reuse policy so that the app better met Google Play Store requirements.


Also, this week, a new Android banking Trojan was discovered by researchers at Threat Fabric. Called ERMAC, it was seen targeting users in Poland and appears to be based on Cerberus, another infamous banking trojan whose source code was leaked.

According to researchers, the malware is targeting 378 banking and wallet apps through the use of overlays in an attempt to steal credentials. Over time the campaign expanded to include a range of apps such as banking, media players, delivery services, government applications, and antivirus solutions.

Researchers discovered that ERMAC was developed by a well-known threat actor going by the tag name DukeEugene. The malware developer is believed to be responsible for another banking trojan, BlackRock. At the time of BlackRock's discovery, the malware was described by Threat Fabric researchers as,

“Although BlackRock poses a new Trojan with an exhaustive target list, looking at previous unsuccessful attempts of actors to revive LokiBot through new variants, we can’t yet predict how long BlackRock will be active on the threat landscape. What can be considered as true is that the number of new banking Trojans will continue to grow, bringing new functionalities to increase the success rate of fraud while fraud becomes a growing risk even for consumers not using mobile banking - as we can see with BlackRock targeting 3rd party apps.”

While not being based on LokiBot but rather Cerberus, ERMAC is being offered to threat actors for 3,000 USD a month, on a malware-as-a-service rental plan. Researchers believe that DukeEugene has switched to solely offering ERMAC over BlackRock as no new samples of BlackRock had been detected. Researchers concluded,

“The story of ERMAC shows one more time how malware source code leaks can lead not only to slow evaporation of the malware family but also bring new threats/actors to the threat landscape. Being built on Cerberus basement, ERMAC introduces a couple of new features. Although it lacks some powerful features like RAT, it remains a threat for mobile banking users and financial institutions all over the world.”

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal