Cybercriminals are marketing a new Android spyware called “Hook,” claiming it can remotely control mobile devices in real-time using VNC (virtual network computing).
The developer of Ermac, an Android banking trojan that costs $5,000/month and aids threat actors in stealing passwords from over 467 banking and cryptocurrency apps via overlapping login screens, is promoting the new infection.
Despite having a number of additional functionalities over Ermac, Hook’s creator claims that the new malware was entirely created from scratch. However, researchers at ThreatFabric doubt this assertion and find significant code parallels between the two families.
Hook differs from Ermac in that it adds WebSocket connectivity as a new feature in addition to the HTTP traffic that Ermac only uses. AES-256-CBC is still being used to encrypt the network traffic.
The “VNC” module, which enables threat actors to interact with the hijacked device’s user interface in real-time, is the addition that stands out the most.
Another noteworthy command discovered by ThreatFabric relates to WhatsApp, which enables Hook to record all communications made over the well-known IM program and even permits the operators to write messages using the victim’s account.