Researchers from security firm ThreatFabric have warned users of a new Android malware that can remotely control their phones. Hacker can use the malware to steal data, exfiltrate personally identifiable information (PII), make financial transactions and more. The new Android malware is being called ’Hook’.
Researchers at security firm ThreatFabric discovered that the Hook malware could be bought on the dark web. The team behind the discovery says that Hook is essentially a banking trojan. It seems to be quite similar to Ermac, based on code, which is another popular trojan.
However, there are a few standout features, including using VNC (virtual network computing) to take over the mobile device. Hook also comes with WebSocket communication features and encrypts its traffic using the AES-256-CBC hardcoded key.
“The malware is advertised as “written from scratch”. This is debatable, as the majority of the code base remains the one from Ermac, including some commands in Russian expressing an unnecessary angst towards the world, which in our opinion would have not made the cut if a proper revision of the code had taken place”, said the ThreatFabric report.
Hook can perform specific swipe gestures, take screenshots, simulate key presses, scroll, and simulate a long-press event. The malware can also be used as a File Manager app, which allows users to list all of the files residing on the endpoint and exfiltrate the ones they deem worthy.
“This kind of operation is much harder to detect by fraud scoring engines, and is the main selling point for Android bankers,” said the team. However, to reach its full potential, the malware needs Accessibility Service permissions in Android. If granted, one can also expect their location to be revealed, as Hook is also able to abuse the “Access Fine Location” permission.