ERMAC
ERMAC is an Android banking trojan active in the mobile threat landscape and commonly referenced as Android.BankBot.Ermac. It was first observed in the wild in September 2022. Reporting in the provided content describes ERMAC as a malware family used for banking fraud on Android devices and notes that Hook descends from the ERMAC family and was built from ERMAC source code, with Hook adding substantial new functionality. NCC Group also reported that Hook and ERMAC were advertised by the threat actor DukeEugene. ThreatFabric reporting cited in the content links the mobile threat actor "sybra" to operation of an ERMAC fork named MetaDroid.
The content indicates ERMAC has undergone multiple versions, including ERMAC 3.0, and that the ERMAC v3 source code leaked online. The leak reportedly included not only the trojan source code but also its builder, backend, and exfiltration servers, creating attribution and infrastructure-analysis opportunities. The content does not provide a full native capability list for ERMAC itself, but its classification as an Android banking trojan is explicit, and its family relationship to Hook places it in the ecosystem of Android malware used for credential theft and financial fraud.
High-confidence indicators and references directly mentioned in the content include the malware names/aliases ERMAC, Android.BankBot.Ermac, and Android.BankBot.Ermac.6.origin; the ERMAC fork MetaDroid; and repeated references to the ERMAC v3.0 source code leak. Associated actors directly mentioned are DukeEugene, which advertised ERMAC and Hook, and sybra, which was observed operating the ERMAC fork MetaDroid.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
...linked to a known threat actor in mobile threat landscape, “sybra”, that we already observed operating one of the Ermac forks, "MetaDroid"...
...two Android-based malware families advertised by threat actor DukeEugene, known as Hook and ERMAC.
IOCs tracked for this family
15 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android banking trojan family referenced as the predecessor/family from which Hook descends.
Android banking trojan referenced for comparison (source code leaked); no additional details provided in the excerpt.
Android banking trojan with expanded form-injection and data theft targeting 700+ banking/shopping/crypto apps; source code leak exposed infrastructure weaknesses (per summary).
Android banking trojan family observed in multiple regions (including South Korea) as part of broader banking malware activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.