Cybercriminals are selling a new Android malware called “Hook,” which they boast can remotely take over mobile devices in real time using VNC (Virtual Network Computing).
New malware is being promoted by a creator ermacan Android banking Trojan selling for $5,000 per month that helps threat actors steal credentials from over 467 banking and crypto apps via superimposed login pages.
While the author of Hook claims the new malware was written from scratch, and despite having many additional features compared to Ermac, the researchers at ThreatFabric dispute those claims and say they’ve seen extensive code overlaps between the two families.
ThreatFabric states that Hook contains most of the Ermac base code, so it’s still a banking Trojan. At the same time, it includes many unnecessary parts found in the old dynasty that suggest reuse in bulk.
More dangerous malware for Android
Despite its origin, Hook is an evolution of Ermac, offering a wide range of capabilities that make it a much more serious threat to Android users.
One of the new features of Hook compared to Ermac is the introduction of a WebSocket connection that comes in addition to the HTTP traffic used exclusively by Ermac. Network traffic is still encrypted using the AES-256-CBC encryption key.
However, the notable addition is the “VNC” module which gives threat actors the ability to interact with the compromised device’s user interface in real time.
This new system enables Hook operators to perform any action on the device, from leaking personally identifiable information to monetary transactions.
With this feature, Hook joins the ranks of malware families capable of performing a full DTO, completing a complete fraud chain, from PII infiltration to transaction, with all intermediate steps, without the need for additional channels. Warns of canvas threat.
“This type of operation is difficult to detect with fraud logging engines, and is the main selling point for Android bankers.”
The catch is that Hook’s VNC requires access to the Accessibility service to work, which can be difficult to get on devices running Android 11 or later.
The new Hook commands (in addition to Ermac) can perform the following actions:
- Start / stop RAT
- Perform a specific swipe gesture
- Take a screenshot
- Simulate clicking on a specific text element
- Simulate pressing a key (HOME / BACK / RECENTS / LOCK / POWERDIALOG)
- Open the device
- Scroll up / down
- Simulate a long press event
- Simulate clicking at certain coordinates
- Set the clipboard value to the widget with a specific coordinate value
- Simulate clicking a widget with a specific text value
- Set the value of the widget to specific text
Apart from the above, the “File Manager” command turns malware into a file manager, allowing threat actors to obtain a list of all files stored in the device and download specific files of their choice.
Another notable thing ThreatFabric found related to WhatsApp, which allows Hook to log all messages in the popular instant messaging app and even allows operators to send messages through the victim’s account.
Finally, the new geolocation tracking system allows hook operators to track the exact location of the victim by abusing the “Access Precise Location” permission.
Global targeting
Hook’s targeted banking apps affect users in the United States, Spain, Australia, Poland, Canada, Turkey, the United Kingdom, France, Italy and Portugal.
However, it is necessary to note that Hook’s wide targeting range covers the entire world. ThreatFabric has listed all implementations of Hook targets in a file Report appendix For those interested.
Currently, Hook is distributed as a Google Chrome APK file under the package names “com.lojibiwawajinu.guna”, “com.damariwonomiwi.docebi”, “com.damariwonomiwi.docebi” and “com.yecomevusaso.pisifo” but of course, it can This changes at any moment.
To avoid infection with Android malware, you should only install apps from the Google Play Store or those provided by your employer.