A recent analysis of the Android banking trojan Hook has uncovered its foundation in its predecessor, ERMAC.
Hook : New Android banking trojan
In January 2023, ThreatFabric initially identified Hook, categorizing it as a “variant of ERMAC” available for purchase at a monthly rate of $7,000. These variants stem from the efforts of a malware author known as DukeEugene.
Hook extends the functionality of ERMAC with more features, supporting up to 38 additional commands compared to the latter.
ERMAC’s primary functionalities were crafted to include sending SMS messages, overlaying a phishing window atop legitimate applications, listing installed apps, gathering SMS messages, and retrieving recovery phrases for numerous cryptocurrency wallets.
Conversely, Hook takes an advanced approach, going beyond by live-streaming the victim’s screen and actively engaging with the user interface to secure complete control over the compromised device. It even captures images using the front camera, acquires cookies associated with Google login sessions, and pilfers recovery codes from additional cryptocurrency wallets.
Additionally, it has the capability to send SMS messages to multiple phone numbers, effectively propagating the malware to other users.
Despite these distinctions, both Hook and ERMAC are proficient in capturing keystrokes and exploiting Android accessibility services for overlay attacks, which enable them to overlay content on other applications and pilfer credentials from more than 700 apps. The roster of target applications is continuously acquired through dynamic requests to a remote server.
Malicious software families are also engineered to monitor clipboard events and substitute the copied content with an attacker-controlled wallet if the victim copies a genuine wallet address.
Most of the control and command (C2) servers for Hook and ERMAC are situated in Russia, with additional servers found in the Netherlands, the United Kingdom, the United States, Germany, France, Korea, and Japan.
As of April 19, 2023, the Hook project appears to have ceased, with DukeEugene announcing his departure for a “special military operation.” Another individual under the alias RedDragon will handle software support until customers’ subscriptions expire.