The author of the Android, BlackRock and ERMAC banking trojans has devised another malware called Hook that introduces new features to gain access to files stored on devices and create a remote interactive session.

ThreatFabric (a Dutch cybersecurity firm), in a report shared with The Hacker News, described Hook as a new offshoot of ERMAC even though it has “all the capabilities of its predecessor,” is advertised to sell for $7,000 per month.

“In addition, it also adds RAT functionality to its kit. (Remote Access Tooling), coming to align with Trojans such as Octo and Hydra , which are able to perform a full Device Take Over (DTO) and complete an entire fraud chain, starting with a leak of personal information arriving at the transaction, with all steps in between, without the need for additional channels,” said the Dutch cybersecurity firm.

Most of the financial apps targeted by the malware are located in the United States, Spain, Australia, Poland, Canada, Turkey, the United Kingdom, France, Italy, and Portugal.

Hook is the work of a hacker known as DukeEugene and represents, as we mentioned, the latest evolution of ERMAC, which was first disclosed in September 2021 and is based on another Trojan called Cerberus whose source code was discovered in 2020.

“ERMAC has always been a step behind Hydra and Octo in terms of capabilities and features,” ThreatFabric researcher Dario Durando told The Hacker News via e-mail. “This is also known among hackers, who prefer the two trojans over ERMAC.”

“The lack of RAT functionality is a major problem for a modern Android Banker, as it does not offer the ability to run a device check (Device Take Over – DTO), which is then the fraud method most likely to be successful and not to be detected by fraud assessment engines or fraud analysts. This is, most likely, what triggered the development of this new malware variant.”

Like other such Android malware, Hook makes use of Android’s accessibility services API to conduct overlay attacks and collect all kinds of sensitive information such as contacts, call logs, keystrokes, two-factor authentication (2FA) tokens, and even WhatsApp messages.

It also presents an expanded list of apps that include ABN AMRO and Barclays, while the same malicious packages masquerade as Google Chrome Web browsers to trick unsuspecting users into downloading the malware:

• lojibiwawajinu.guna
• damariwonomiwi.docebi
• yecomevusaso.pisifo

Among the other main features that Hook has is the ability to remotely view and interact with the screen of the infected device, obtain files, extract seed phrases* from crypto wallets and track the location of the phone, blurring the line between spyware and malware banking.

ThreatFabric said Hook artifacts observed so far in testing could be sent via phishing campaigns, Telegram channels or in the form of Google Play Store app droppers.

“The main disadvantage of creating a new malware is usually gaining trust from other hackers but with DukeEugene’s track record among criminals, it is very likely that this will not be a problem for Hook,” Durando said.

*
The Seed phrase is a set of words that allow you to generate or regenerate the key tree, which gives you access to your cryptocurrency wallet