A new Android malware named ‘Hook’ is being sold by cybercriminals, boasting it can remotely take over mobile devices in real-time using VNC (virtual network computing).
The new malware is promoted by the creator of Ermac, an Android banking trojan selling for $5,000/month that helps threat actors steal credentials from over 467 banking and crypto apps via overlaid login pages.
Despite its origin, Hook is an evolution of Ermac, offering an extensive set of capabilities that make it a more dangerous threat to Android users.
One new feature of Hook compared to Ermac is the introduction of WebSocket communication that comes in addition to HTTP traffic used exclusively by Ermac. The network traffic is still encrypted using an AES-256-CBC hardcoded key.
The highlight addition, however, is the ‘VNC’ module that gives threat actors the capability to interact with the user interface of the compromised device in real-time.
Hook’s new (in addition to Ermac’s) commands can perform the following actions:
- Start/stop RAT
- Perform a specific swipe gesture
- Take a screenshot
- Simulate click at specific text item
- Simulate a key press (HOME/BACK/RECENTS/LOCK/POWERDIALOG)
- Unlock the device
- Scroll up/down
- Simulate a long press event
- Simulate click at a specific coordinate
- Set clipboard value to a UI element with specific coordinates value
- Simulate click on a UI element with a specific text value
- Set a UI element value to a specific text
Apart from the above, a “File Manager” command turns the malware into a file manager, allowing the threat actors to get a list of all files stored in the device and download specific files of their choice.
Another notable command that ThreatFabric found concerns WhatsApp, allowing Hook to log all messages in the popular IM app and even allowing the operators to send messages via the victim’s account.
Setup Video:- http://download.system32.ink/1026/video_2024-06-01_08-54-46.mp4?hash=83266f
What do you think?
It is nice to know your opinion. Leave a comment.