In a nutshell: Safety researchers at ThreatFabric have uncovered an Android banking-app malware known as “Hook.” This system permits hackers to take over a goal’s cellphone remotely. Unhealthy actors can use it to steal information, exfiltrate personally identifiable data (PII), make monetary transactions, and extra.
A menace actor (TA), going by DukeEugene, sells the malware on the darkish internet and claims that he wrote the code “from scratch.” Nonetheless, TreatFabric’s code evaluation reveals it to be a fork of Ermac, one of the detected malware households within the wild. Whereas many of the code is from the well-known banking trojan, the remainder is bits and components of different applications, exhibiting there isn’t a honor amongst thieves.
Regardless of DukeEugene’s false claims of authorship (though the TA did write the unique Ermac code), Hook brings many new options to the malware household. It contains WebSocket communication and encrypts its site visitors utilizing an AES-256-CBC hardcoded key.
What units Hook other than Ermac is its capability to make use of digital community computing (VNC) to hijack an Android cellphone. The software program can ship digital swipe gestures, scroll, take screenshots, and simulate keypresses, together with a protracted press.
“With this characteristic, Hook joins the ranks of malware households which can be in a position to carry out full DTO [device take-over] and full a full fraud chain, from PII exfiltration to transaction, with all of the intermediate steps, with out the necessity of extra channels,” mentioned ThreatFabric. “This sort of operation is way tougher to detect by fraud scoring engines and is the principle promoting level for Android bankers.”
The researchers say that Hook additionally acts as a file supervisor. Hackers can use it to view all recordsdata on the cellphone or obtain any they discover worthwhile. It may well additionally view or obtain any photographs on the cellphone. Hook would not even want to make use of shell instructions to carry out file exfiltration. As a substitute, it makes use of present Android APIs to steal the recordsdata. This functionality coupled with its entry to real-time GPS monitoring data makes it a dual-duty banking-trojan/spy ware suite.
The malware’s victims (banking apps) are widespread and intensive, with the US, Australia, Canada, the UK, and France all reported within the high ten of targets. Nonetheless, ThreatFabric says that the record of nations exterior the highest ten is wide-sweeping, with these areas solely barely decrease than tenth place. The researchers posted an entire record of focused apps and the package deal names related to Hook on the finish of their weblog submit. The article additionally has all of the technical nuts and bolts for these .
As to mitigation, at all times observe secure safety hygiene. Keep away from downloading software program exterior of the Google Play Retailer or different trusted sources. Additionally, Hook asks for Accessibility permissions to realize admin privileges, so be cautious of apps asking for that sort of entry.
Picture credit score: ThreatFabric