In a nutshell: security researchers from ThreatFabric have discovered malware for an Android banking application called “Hook”. The program allows hackers to remotely take over the victim’s phone. Attackers can use it to steal data, exfiltrate personal information (PII), make financial transactions and much more.
An attacker (TA) under the name DukeEugene sells malware on the darknet and claims to have written the code “from scratch”. However, an analysis of the TreatFabric code shows that it is an offshoot of Ermac, one of the most frequently detected malware families. While most of the code belongs to a well-known banking Trojan, the rest is fragments of other programs, which indicates that thieves have no honor.
Despite Dukeugene’s false claims of authorship (although TA did write the Ermac source code), Hook brings many new features to the malware family. It enables WebSocket communication and encrypts its traffic using a hard-coded AES-256-CBC key.
What sets Hook apart from Ermac is its ability to use virtual network computing (VNC) to capture an Android phone. The software can send virtual swipe gestures, scroll, take screenshots and simulate keystrokes, including long press.
“With this feature, Hook joins a family of malware capable of performing a full DTO [device hijacking] and completing a complete fraud chain, from PII exfiltration to transaction, with all intermediate steps without the need for additional channels,” ThreatFabric said. “This kind of transaction is much more difficult to detect using fraud assessment mechanisms, and this is the main argument in favor of Android bankers.”
The researchers say that Hook also acts as a file manager. Hackers can use it to view all the files on the phone or download any they deem valuable. It can also view or download any images to the phone. Hook doesn’t even need to use shell commands to exfiltrate files. Instead, it uses existing Android APIs to steal files. This capability, combined with access to real-time GPS tracking information, makes it a double set of banking Trojan/spyware programs.
Malware victims (banking applications) are widespread: the USA, Australia, Canada, the UK and France are among the top ten targets. However, ThreatFabric reports that the list of countries outside the top ten is very extensive, and these regions are only slightly below the tenth place. The researchers posted a full list of target applications and package names related to Hook at the end of their blog post. The article also has all the technical nuts and bolts for those who are interested.
As for mitigation, always observe safety hygiene. Avoid downloading software outside of the Google Play Store or other trusted sources. In addition, Hook requests accessibility permissions to gain administrator rights, so be careful with applications requesting this type of access.
