Dubbed the “hook,” the new malware allows real-time hijacking and spying on Android devices

Something small: Security researchers at ThreatFabric have discovered a malware for the Android banking app called “Hook”. The software allows hackers to take over a target’s phone remotely. Bad parties can use it to steal data, steal personally identifiable information (PII), perform financial transactions, and more.

The Threat Actor (TA), by DukeEugene, sells malware on the dark web and claims to have written the code “from scratch”. However, TreatFabric analysis It appears to be a thorn ermac, one of the most common malware families discovered in the wild. While most of the code is from a well-known banking Trojan, the rest is bits and pieces from other software, showing a lack of honor among thieves.

Despite DukeEugene’s false claims of authorship (although TA did write the original Ermac code), Hook introduces several new features to the malware family. It includes a WebSocket connection and encrypts its traffic with a static AES-256-CBC key.

What sets Hook apart from Ermac is its ability to use Virtual Network Computing (VNC) to hijack your Android phone. The program can send virtual swipe and scroll gestures, take screenshots, and simulate keystrokes, including a long press.

With this feature, Hook joins the ranks of malware families capable of fully performing DTO [device take-over] And complete the entire fraud chain, from the infiltration of PII to the transaction, with all the intermediate steps, without the need for additional channels. “This type of operation is difficult to detect by fraud logging engines and is the main selling point for Android bankers.”

Researchers say Hook also acts as a file manager. Hackers can use it to view all the files on the phone or download any they find valuable. He can also view or download any photos to the phone. The hook does not even need to use shell commands to perform file extraction. Instead, it uses existing Android APIs to steal files. This capability along with its access to real-time GPS tracking information makes it a binary banking/Trojan/spyware combo.

Malware victims (banking applications) are widespread and widespread, with the United States, Australia, Canada, the United Kingdom and France reported as the top ten targets. However, ThreatFabric says the list of countries outside the top 10 is extensive, with those regions falling just short of 10th. The researchers published a full list of target applications and package names associated with Hook at the end of these applications blog post. The article also contains all the technical nuts and bolts for those interested.

As for mitigation, always practice safe security hygiene. Avoid downloading software outside of the Google Play Store or other trusted sources. Also, Hook asks for access permissions to get administrator privileges, so be wary of apps that request this kind of access.

Image credit: the threat

Source link

Related Posts