ERMAC (Android) (also known as ERMAC, Hook (successor)) is a android malware active since 2021. Android banking trojan. Key characteristics include: overlay attacks, keylogging, 467 banking app overlays, $5K/month, evolved into Hook.
Overview & Background
Android banking trojan. First identified in 2021, this threat is attributed to eCrime (MaaS).
Threat Assessment
ERMAC remains an active threat. Organizations should implement detection rules and monitor for indicators associated with this android malware.
- Category: Android Malware
- Active since: 2021
- Attribution: eCrime (MaaS)
- Also known as: ERMAC, Hook (successor)
Technical Analysis
ERMAC employs the following capabilities and techniques:
- Overlay Attacks: Core functionality
- Keylogging: Core functionality
- 467 Banking App Overlays: Core functionality
- $5K/Month: Core functionality
- Evolved Into Hook: Core functionality
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1566.001 Phishing Attachment | Common delivery vector |
| Execution | T1204.002 Malicious File | User-triggered execution |
| Persistence | T1547.001 Registry Run Keys | Autostart persistence |
| Defense Evasion | T1027 Obfuscated Files | Payload obfuscation |
| C2 | T1071.001 Web Protocols | HTTP/HTTPS C2 |
Detection & Defense
- Endpoint detection: Deploy behavioral detection rules for ERMAC indicators
- Network monitoring: Monitor for C2 traffic patterns and anomalous connections
- Threat intelligence: Track ERMAC IOCs and campaign updates
- Security awareness: Train users to recognize phishing and social engineering
- Patch management: Keep systems updated to prevent exploitation
Defend Against ERMAC
Mjolnir Security provides detection and response capabilities against ERMAC and similar threats.
Threat DetectionIncident ResponseThreat HuntingMDR ServicesThreat Intelligence
- Proactive Threat Hunting Hunt for ERMAC indicators and TTPs within your environment.
- Threat Intelligence Monitor ERMAC campaigns and infrastructure changes.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Written by: Mjolnir Security | Published: July 30, 2025
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts