Cybercrime , Endpoint Security , Fraud Management & Cybercrime

Malware Blurs Line Between Banking Trojan and Surveillance

Hook Banking Trojan Can Simulate Clicks and Send WhatsApp Messages
Malware Blurs Line Between Banking Trojan and Surveillance
Image: Shutterstock

An improved Android banking Trojan dubbed Hook by security researchers is capable of taking remote control of mobile devices, contributing to the growing overlap between surveillance malware and financial fraud.

See Also: The Healthcare CISO’s Guide to Medical IoT Security

The Trojan, which analysis by Danish cybersecurity firm ThreatFabric characterizes as an improved version of the existing Ermac Trojan, is able to perform "full attack chain from infection to fraudulent transaction."

Hook exploits an implementation of screen sharing known as virtual network computing to achieve in effect the functionality of a remote access tool, capable of functions including taking a screenshot, simulating clicks and inputting swipe gesture commands. It can transmit geolocation data and take control over files.

Hook can also open the WhatsApp chat app in order to extract messages and also send a news message that could be used by the Trojan's operators to spread the malware.

A threat actor known as DukeEugene, which for roughly 18 months now has been renting Ermac, began offering Hook in mid-January, ThreatFabric says. The firm told The Hacker News that access to Hook goes for an advertised price of $7,000 per month.

The emergence of Hook comes at a moment of growing global alarm over the commodification of advanced spyware and worries over the ease with which threat actors and governments alike can harvest private details from personal devices.

ThreatFabric says Hook is a variation of Ermac rather than a completely new Trojan based on code similarities with Ermac, including some commands in Russian that don't add functionality.

Ermac itself is a descendent of mobile banking Trojan Cerberus, whose source code made its way online in 2020 to a Russian darknet forum (see: Attacks Using Cerberus Banking Trojan Surge).


About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.