Il trojan banking Hookactive in the environment Android, is rapidly spreading online. From the analysis of the group’s security researchers NCC Joshua Camp e Alberto Segurapublished last week, turns out that this malicious agent is based on a previous malware known as ERMAC.
The experts have in fact explained how “The ERMAC source code was used as the basis for Hook“, then pointing out how “All commands (30 in total) that the malware operator can send to a device infected with ERMAC malware, also exist in Hook. The code implementation for these commands is almost identical“.
ERMAC-derived malware was first identified and documented by ThreatFabric in January 2023. Already at the time, researchers had noticed several similarities with its predecessor. In turn, ERMAC is derived from another malicious agent, known as DukeEugene.
Hook takes up the legacy of ERMAC and refines its capabilities
Hook goes well beyond what his “parent” proposes, presenting well 38 additional commands which expand its functionality.
The main functionalities of ERMAC are focused onsending SMS messagesoffer the victim a window of phishing above a legitimate app, extract a list of installed applicationscollect SMS messages and gain access to cryptocurrency wallet.
The new malware, however, is capable of carrying out more complex operations such as:
- transmit in streaming what happens on victim display;
- interact with theuser interface to gain complete control of the device;
- take pictures without the victim’s knowledge, using the front camera;
- gather cookie del browser;
- steal i seed phrase from multiple crypto wallets;
- send an SMS message to multiple phone numbers (useful for effectively propagating malware through the victim’s address book).
Both malware can then record keystrokes and abuse Android accessibility services to lead overlay attacks in order to display content on top of other apps e steal credentials from over 700 apps.
As with many other similar malicious agents, in this case too it is important to work towards prevention through a high level of informationa good degree of caution and the adoption of a antivirus Android worthy of the name.
