With a new Android Trojan, hackers can remotely control your phone

With a new Android Trojan, hackers can remotely control your phone

The cybercriminals behind the famous Android banking trojans BlackRock i ERMAC now they offer another malware called Hook, which they say can remotely take control of mobile phones in real time. ThreatFabric researchers who first spotted the new malware say it is currently being offered for $7,000 a month.

Most of the bank applications targeted by this malware are used in the US, Spain, Australia, Poland, Canada, Turkey, UK, France, Italy and Portugal, but the scope of the malware’s targeted applications actually spans the globe.

Hook is the work of a threat actor known as DukeEugene and is practically the successor to ERMAC, which was revealed in September 2021. ERMAC, which is rented for $5,000 per month, is based on another Trojan named Cerberus whose source code was leaked in 2020. ERMAC allows customers to steal credentials from 467 bank and crypto apps via fake login pages that overlay targeted apps.

Although the author of Hook claims that the new malware was written from scratch, and although it has several additional features compared to ERMAC, ThreatFabric researchers dispute these claims and say that they have seen significant code overlaps between the two malwares.

“ERMAC has always been behind malware Hydra i Octo in terms of capabilities and characteristics”, said ThreatFabric researcher Dario Durandowho says that this is why cybercriminals have always preferred these two malware to ERMAC.

The lack of capabilities of RAT (Remote Access Trojan) is the main problem of modern Android banking Trojans, because they do not provide the possibility to take over the device, which is a guarantee that the fraud will most likely be successful and will not be detected. This is most likely what triggered the development of this new malware.

Although it is the obvious successor of ERMAC, Hook offers many more features that make it more dangerous for Android users.

The most important novelty is the VNC (Virtual Network Computing) module, which gives hackers the ability to interact with the user interface of a compromised device in real time. This allows them to perform any action on the infected device, making it similar to the aforementioned Hydra and Octa malware.

However, Hook’s VNC module requires access to the Android accessibility service, which the malware would have a hard time getting on devices running Android 11 or later.

Hook abuses Android accessibility services to perform overlay attacks and collect all kinds of sensitive information such as contacts, call logs, keystrokes, two-factor authentication (2FA) tokens, and even WhatsApp messages. The malware even allows hackers to send messages through the victim’s account.

Hook also has an extended list of targeted applications, and the malware itself masquerades as the Google Chrome web browser to trick users into downloading it. Hook is currently distributed as a Google Chrome APK under the names “com.lojibiwawajinu.guna”, “com.damariwonomiwi.docebi”, “com.damariwonomiwi.docebi” and “com.yecomevusaso.pisifo”, but this may change to every moment.

Among the main features of Hook is the ability to remotely view and interact with the infected device’s screen, access files, extract seed phrases from crypto wallets and track the exact location of the phone, which is why this malware is something between spyware and banking malware.

ThreatFabric said that the Hook samples spotted so far are in the testing phase, but could be delivered via phishing campaign, Telegram channel or in the form of dropper applications in the Google Play store.

“The main disadvantage of creating new malware is usually gaining enough trust from other actors, but with DukeEugene’s status among criminals, it is very likely that this will not be a problem for Hook,” said Durando.

Cover photo: Ayse Ipek, Pexels



Source: Informacija.rs by www.informacija.rs.

*The article has been translated based on the content of Informacija.rs by www.informacija.rs. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!