Hook Malware Allows Remotely Controling Android Smartphones

Hook malware for Android
Written by William Reddy

Researchers at ThreatFabric have discovered a new fork of the Ermac banking Trojan for Android, the Hook malware, which has been widespread among cybercriminals in recent years.

Experts write that the new malware, dubbed Hook, blurs the line separating bankers from spyware.

Let me remind you that we also wrote that SOVA Android Malware Will Receive a New Encryptor Module, and also that Spyware Predator Uses Five 0-day Vulnerabilities to Attack Android Users.

You might also be interested in: Experts described how Android malware infiltrates the Google Play Store.

The new malware is promoted by the creator of Ermac, a $5,000-a-month subscription banking Trojan for Android that helps attackers steal credentials from more than 467 banking and cryptocurrency apps using overlays.

Hook malware for Android
Ermac advertisement

Although the author of Hook, hiding under the nickname DukeEugene, claims that the malware was written from scratch and is distinguished from Ermac by a number of additional functions, researchers from ThreatFabric report that the malware code largely duplicates each other. Thus, Hook contains most of the Ermac codebase, and it can still be called a banking Trojan. However, it also includes a few unnecessary parts previously seen in older versions of the bunker that point to code reuse.

Hook malware for Android
Advertising Hook

Be that as it may, Hook represents a more advanced version of Ermac and offers a wide range of features that make it a dangerous threat to Android users. The malware is offered for $7,000 per month, and the author claims that Hook has “all the capabilities of its predecessor.”

One of the new features of Hook is WebSocket communications, which are an addition to the normal HTTP traffic used by Ermac. However, network traffic is still encrypted using a hard-coded AES-256-CBC key.

Another important addition was the VNC (virtual network computing) module, which gives attackers the ability to interact with a hacked device in a real time. In fact, this allows Hook operators to perform any action on the victim’s device, from data theft to money transactions. However, the Hook VNC module will require access to the Accessibility Service, which can be an issue on devices running Android 11 and later.

Hook has added RAT capabilities to its arsenal by joining [malware] families such as Octo and Hydra, which are able to perform a full device takeover and implement a complete compromise chain with all intermediate stages and without the need for additional channels: from identity theft to ending with transactions.the researchers write.

Among the new commands that are available to Hook, but not used in Ermac, the experts listed:

  1. start/stop RAT;
  2. performing a specific swipe gesture;
  3. take a screenshot;
  4. simulate a click on a specific text element;
  5. simulate button presses (HOME/BACK/RECENTS/LOCK/POWERDIALOG);
  6. unlock the device;
  7. scroll up/down;
  8. simulate a long press;
  9. simulate a click on a certain coordinate;
  10. set clipboard value for UI element with specific coordinate value;
  11. simulate a click on a user interface element with a specific text value;
  12. set the value of a UI element to a specific text.

In addition to the above, the “File Manager” command turns malware into a file manager, allowing attackers to get a list of all the files on the device, and steal certain files of their choice.

Another interesting command concerns the WhatsApp messenger and allows Hook to record all messages, while malware operators get the opportunity to send messages through the victim’s account.

Finally, Hook is equipped with a new geolocation tracking system, allowing you to track the exact position of the victim by abusing the “Access Fine Location” permission.

In terms of banking functionality, Hook’s top banking apps are those from the US, Spain, Australia, Poland, Canada, Turkey, UK, France, Italy, and Portugal. However, the “interests” of Hook cover the whole world, and in their report, the researchers separately listed all the targeted applications of the malware.

Hook malware for Android

Hook is currently reportedly distributed as a Google Chrome APK and uses the following package names: com.lojibiwawajinu.guna, com.damariwonomiwi.docebi, com.damariwonomiwi.docebi, and com.yecomevusaso.pisifo, although these may change depending on any moment.

About the author

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.

Leave a Comment