New Android malware “Hook” allows hackers to remotely control your phone

Android malware

Cybercriminals are promoting a brand new Android malware referred to as “Hook,” which they boast can remotely take over cellular gadgets in actual time utilizing VNC (Digital Community Computing).

New malware is being promoted by a creator ermacan Android banking Trojan promoting for $5,000 monthly that helps risk actors steal credentials from over 467 banking and crypto apps through superimposed login pages.

Whereas the writer of Hook claims the brand new malware was written from scratch, and regardless of having many extra options in comparison with Ermac, the researchers at ThreatFabric dispute these claims and say they’ve seen in depth code overlaps between the 2 households.

ThreatFabric states that Hook accommodates many of the Ermac base code, so it is nonetheless a banking Trojan. On the identical time, it consists of many pointless elements discovered within the outdated dynasty that recommend reuse in bulk.

Extra harmful malware for Android

Regardless of its origin, Hook is an evolution of Ermac, providing a variety of capabilities that make it a way more critical risk to Android customers.

One of many new options of Hook in comparison with Ermac is the introduction of a WebSocket connection that comes along with the HTTP visitors used completely by Ermac. Community visitors remains to be encrypted utilizing the AES-256-CBC encryption key.

Nonetheless, the notable addition is the “VNC” module which supplies risk actors the flexibility to work together with the compromised gadget’s person interface in actual time.

Hook's author promotes the new VNC system
Hook’s writer promotes the brand new VNC system (Menace Canvas)

This new system permits Hook operators to carry out any motion on the gadget, from leaking personally identifiable data to financial transactions.

With this characteristic, Hook joins the ranks of malware households able to performing a full DTO, finishing an entire fraud chain, from PII infiltration to transaction, with all intermediate steps, with out the necessity for extra channels. Warns of canvas risk.

“The sort of operation is troublesome to detect with fraud logging engines, and is the primary promoting level for Android bankers.”

The catch is that Hook’s VNC requires entry to the Accessibility service to work, which will be troublesome to get on gadgets working Android 11 or later.

The brand new Hook instructions (along with Ermac) can carry out the next actions:

  • Begin / cease RAT
  • Carry out a selected swipe gesture
  • Take a screenshot
  • Simulate clicking on a selected textual content component
  • Simulate urgent a key (HOME / BACK / RECENTS / LOCK / POWERDIALOG)
  • Open the gadget
  • Scroll up / down
  • Simulate an extended press occasion
  • Simulate clicking at sure coordinates
  • Set the clipboard worth to the widget with a selected coordinate worth
  • Simulate clicking a widget with a selected textual content worth
  • Set the worth of the widget to particular textual content

Other than the above, the “File Supervisor” command turns malware right into a file supervisor, permitting risk actors to acquire an inventory of all recordsdata saved within the gadget and obtain particular recordsdata of their selection.

One other notable factor ThreatFabric discovered associated to WhatsApp, which permits Hook to log all messages within the common immediate messaging app and even permits operators to ship messages by way of the sufferer’s account.

Lastly, the brand new geolocation monitoring system permits hook operators to trace the precise location of the sufferer by abusing the “Entry Exact Location” permission.

Accurately track the victim's location
Precisely observe the sufferer’s location (textile processing)

World focusing on

Hook’s focused banking apps have an effect on customers in the US, Spain, Australia, Poland, Canada, Turkey, the UK, France, Italy and Portugal.

Hook targets the number of banking apps per country
Hook targets the variety of banking apps per nation (Menace Canvas)

Nonetheless, it’s mandatory to notice that Hook’s extensive focusing on vary covers your complete world. ThreatFabric has listed all implementations of Hook targets in a file Report appendix For these .

At the moment, Hook is distributed as a Google Chrome APK file underneath the package deal names “com.lojibiwawajinu.guna”, “com.damariwonomiwi.docebi”, “com.damariwonomiwi.docebi” and “com.yecomevusaso.pisifo” however in fact, it could possibly This adjustments at any second.

To keep away from an infection with Android malware, it’s best to solely set up apps from the Google Play Retailer or these offered by your employer.

Leave a Comment