Researchers at ThreatFabric have discovered a new fork of the Ermac banking Trojan for Android, the Hook malware, which has been widespread among cybercriminals in recent years.
Experts write that the new malware, dubbed Hook, blurs the line separating bankers from spyware.
Let me remind you that we also wrote that SOVA Android Malware Will Receive a New Encryptor Module, and also that Spyware Predator Uses Five 0-day Vulnerabilities to Attack Android Users.
You might also be interested in: Experts described how Android malware infiltrates the Google Play Store.
The new malware is promoted by the creator of Ermac, a $5,000-a-month subscription banking Trojan for Android that helps attackers steal credentials from more than 467 banking and cryptocurrency apps using overlays.
Ermac advertisement
Although the author of Hook, hiding under the nickname DukeEugene, claims that the malware was written from scratch and is distinguished from Ermac by a number of additional functions, researchers from ThreatFabric report that the malware code largely duplicates each other. Thus, Hook contains most of the Ermac codebase, and it can still be called a banking Trojan. However, it also includes a few unnecessary parts previously seen in older versions of the bunker that point to code reuse.
Advertising Hook
Be that as it may, Hook represents a more advanced version of Ermac and offers a wide range of features that make it a dangerous threat to Android users. The malware is offered for $7,000 per month, and the author claims that Hook has “all the capabilities of its predecessor.”
One of the new features of Hook is WebSocket communications, which are an addition to the normal HTTP traffic used by Ermac. However, network traffic is still encrypted using a hard-coded AES-256-CBC key.
Another important addition was the VNC (virtual network computing) module, which gives attackers the ability to interact with a hacked device in a real time. In fact, this allows Hook operators to perform any action on the victim’s device, from data theft to money transactions. However, the Hook VNC module will require access to the Accessibility Service, which can be an issue on devices running Android 11 and later.
Among the new commands that are available to Hook, but not used in Ermac, the experts listed:
- start/stop RAT;
- performing a specific swipe gesture;
- take a screenshot;
- simulate a click on a specific text element;
- simulate button presses (HOME/BACK/RECENTS/LOCK/POWERDIALOG);
- unlock the device;
- scroll up/down;
- simulate a long press;
- simulate a click on a certain coordinate;
- set clipboard value for UI element with specific coordinate value;
- simulate a click on a user interface element with a specific text value;
- set the value of a UI element to a specific text.
In addition to the above, the “File Manager” command turns malware into a file manager, allowing attackers to get a list of all the files on the device, and steal certain files of their choice.
Another interesting command concerns the WhatsApp messenger and allows Hook to record all messages, while malware operators get the opportunity to send messages through the victim’s account.
Finally, Hook is equipped with a new geolocation tracking system, allowing you to track the exact position of the victim by abusing the “Access Fine Location” permission.
In terms of banking functionality, Hook’s top banking apps are those from the US, Spain, Australia, Poland, Canada, Turkey, UK, France, Italy, and Portugal. However, the “interests” of Hook cover the whole world, and in their report, the researchers separately listed all the targeted applications of the malware.
Hook is currently reportedly distributed as a Google Chrome APK and uses the following package names: com.lojibiwawajinu.guna, com.damariwonomiwi.docebi, com.damariwonomiwi.docebi, and com.yecomevusaso.pisifo, although these may change depending on any moment.
