Malware Blurs Line Between Banking Trojan and SurveillanceHook Banking Trojan Can Simulate Clicks and Send WhatsApp Messages
An improved Android banking Trojan dubbed Hook by security researchers is capable of taking remote control of mobile devices, contributing to the growing overlap between surveillance malware and financial fraud.
The Trojan, which analysis by Danish cybersecurity firm ThreatFabric characterizes as an improved version of the existing Ermac Trojan, is able to perform "full attack chain from infection to fraudulent transaction."
Hook exploits an implementation of screen sharing known as virtual network computing to achieve in effect the functionality of a remote access tool, capable of functions including taking a screenshot, simulating clicks and inputting swipe gesture commands. It can transmit geolocation data and take control over files.
Hook can also open the WhatsApp chat app in order to extract messages and also send a news message that could be used by the Trojan's operators to spread the malware.
A threat actor known as DukeEugene, which for roughly 18 months now has been renting Ermac, began offering Hook in mid-January, ThreatFabric says. The firm told The Hacker News that access to Hook goes for an advertised price of $7,000 per month.
The emergence of Hook comes at a moment of growing global alarm over the commodification of advanced spyware and worries over the ease with which threat actors and governments alike can harvest private details from personal devices.
ThreatFabric says Hook is a variation of Ermac rather than a completely new Trojan based on code similarities with Ermac, including some commands in Russian that don't add functionality.
Ermac itself is a descendent of mobile banking Trojan Cerberus, whose source code made its way online in 2020 to a Russian darknet forum (see: Attacks Using Cerberus Banking Trojan Surge).