A new malware called “Hook” allows you to capture and spy on Android devices in real time.

In a nutshell: Security researchers at ThreatFabric have discovered malware for an Android banking app called “Hook”. The program allows hackers to remotely take over the victim’s phone. Attackers can use it to steal data, exfiltrate personal information (PII), make financial transactions, and more.

An attacker (TA) named DukeEugene sells malware on the dark web and claims to have written the code from scratch. However, the TreatFabric code analysis shows it’s a fork Ermak, one of the most frequently detected malware families. While most of the code belongs to a well-known banking trojan, the rest is fragments of other programs, indicating that thieves have no honor.

Despite DukeEugene’s false claims of authorship (even though TA did write the Ermac source code), Hook brings many new features to the malware family. It enables WebSocket communication and encrypts its traffic with a hardcoded AES-256-CBC key.

What sets Hook apart from Ermac is its ability to use Virtual Network Computing (VNC) to take over an Android phone. The software can send virtual swipe gestures, scroll, take screenshots, and simulate keystrokes, including long presses.

“With this feature, Hook is among the malware families capable of performing a full DTO. [device take-over] and complete the complete fraud chain, from PII exfiltration to transaction, with all steps in between, without the need for additional channels,” said ThreatFabric. for Android Bankers.

The researchers say that Hook also acts as a file manager. Hackers can use it to view all the files on the phone or download any they deem valuable. It can also view or download any images to the phone. The hook doesn’t even need to use shell commands to exfiltrate files. Instead, it uses existing Android APIs to steal files. This capability, combined with real-time access to GPS tracking information, makes it a dual set of banking trojans/spyware.

Malware victims (banking apps) are widespread, with the US, Australia, Canada, the UK and France among the top ten targets. However, ThreatFabric reports that the list of non-top 10 countries is very extensive, with those regions just below the top ten. The researchers posted a complete list of target applications and package names associated with Hook at the end of their report. Blog Post. The article also has all the technical nuts and bolts for those who are interested.

As far as mitigation goes, always practice safety hygiene. Avoid downloading software outside of the Google Play Store or other trusted sources. In addition, Hook requests accessibility permissions to gain administrative rights, so be careful with applications requesting this type of access.

Image credit: ThreatFabric

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button