New Android malware straddles the line between banking Trojan and spyware

New Android malware straddles the line between banking Trojan and spyware

Security researchers have uncovered a disturbing new piece of Android banking malware with some very expanded capabilities.

The new malware, called Hook, was thought to be a fork of the Ermac malware, which was itself based on the well-known malware Cerberus. However, researchers at fraud specialist ThreatFabric found that while it was largely based on much the same code as Ermac, its creator had added some very advanced spyware features.

Hook, like Ermac before it, is currently being advertised for sale on the dark web by a hacker known as DukeEugene. 

The malware communicates with its command and control servers via HTTP traffic, and WebSocket, which is a new addition to this variant. C2 servers can be set to command the malware to use one or the other to communicate once the malware has been successfully installed on a device.

Hook can target a vast number of banking institutions out of the box from all over the world. The United States and Spain are the top two targets, but Australia is not far behind, with 56 banking institutions in the malware’s crosshairs.

The malware can now also target crypto transactions, with eight separate wallets whose seed phrases (a string of words users can use to get back into locked accounts) can be harvested. 

WhatsApp interactions are another new addition. Threat actors can now not only log all messages sent and received but also send messages themselves. According to ThreatFabric’s researchers, this could be a vector for spreading the malware to other users. Hook can also retrieve lists of files and then download them to a remote server. 

But it is the remote takeover functionality by way of a device’s accessibility services that is a truly scary addition. 

ISCOVER

The new malware can now simulate clicks, keypresses, and gestures; access text boxes; and unlock devices. On top of this, Hook can also geolocate users.

“With this feature, Hook joins the ranks of malware families that are able to perform full DTO, and complete a full fraud chain, from PII exfiltration to transaction, with all the intermediate steps, without the need of additional channels,” ThreatFabric said. 

“This kind of operation is much harder to detect by fraud scoring engines and is the main selling point for Android bankers.”

You can find a full list of the malware’s capabilities and banking targets here.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.