Cybercriminals Selling 'Hook' Android Malware for Remote Control of Smartphones

By Gagandeep Singh 21-Jan-2023

[{"selector":"#anim-407b912b-c406-40f2-b642-4f02d6ea05f6","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-ee38dbd3-5b3e-4de3-bb8a-0cd7e1233f8a","keyframes":{"transform":["translate3d(0px, 169.78320%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-1768ad2f-0eaa-46d9-abb2-476cb8765bef","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-00cb30d3-0c42-42ee-9e01-3c775d8cdec1","keyframes":{"transform":["translate3d(0px, 201.90972%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-b7378be5-7448-4666-a291-e4a4b4825bd4 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(11.84523813836396%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] A report by ThreatFabric, an Android Malware by the name of ‘Hook’ is being sold by cybercriminals.

[{"selector":"#anim-0eb3b1a9-15bc-443b-a076-71c40db7206a","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-dabe2d08-d545-404c-b714-533ce824a73a","keyframes":{"transform":["translate3d(0px, 155.55555%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-8d10b196-24e5-4d96-bc62-89b5345afc67","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-daa0e12d-767a-4c82-b312-367ff3932f44","keyframes":{"transform":["translate3d(0px, 175.83980%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-039d0894-be4c-4cd2-8c82-7db9c58bbac6 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-23.37355829769704%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}] The attackers brag that the malware can remotely take control of smartphones in real time using Virtual Network Computing (VNC).

[{"selector":"#anim-4ea26ac6-3066-4811-b761-0ae0ec78c35f","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-777052c0-6671-4d04-91a5-85cbc1f0a77e","keyframes":{"transform":["translate3d(0px, 133.46329%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-e6448273-c420-4d0f-8a86-f58400ad9224","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-c083cd71-3aab-44c6-ae1b-901c82cfc3af","keyframes":{"transform":["translate3d(0px, 144.51801%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-e1dca12c-755b-4029-844f-8bd1f0f13fc2 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(34.226190362416204%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] The creator of the malware claims that the new malware code was written from scratch; as per ThreatFabric substantial codes of the two Android malware overlay each other with 'Hook' having extra features.

[{"selector":"#anim-6698810f-7bd6-4761-9491-ea469b39dc75","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-e58f2cb1-a10c-48ca-a6b4-949cf7cb9d9f","keyframes":{"transform":["translate3d(0px, 138.92668%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-35dfa9ff-f710-4807-86a7-9e5ddcb9ea32","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-43f97347-7206-4fe1-9eb0-9b5759cc5e50","keyframes":{"transform":["translate3d(0px, 150.55982%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-3a25d274-998b-43c3-82ef-2772d11ff571 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-31.249999886225726%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}] The Feature that ‘Hook’ has over Ermac is WebSocket communication, in addition to the extensively used HTTP traffic of Ermac. The network used is still encrypted by a hardcoded key.

[{"selector":"#anim-349c2905-b371-4387-9c1b-c1a1088c1770","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-3a3ff26a-0720-481d-9998-299b07e4d792","keyframes":{"transform":["translate3d(0px, 133.46329%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-aa342abd-b8a5-41c2-bf98-ec75b2bcdcaf","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-8e7cf43d-a41c-4bf6-9fa5-8ff02309e8f4","keyframes":{"transform":["translate3d(0px, 144.51801%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-65c84ce2-c903-4d30-b94d-ef34aca22a2f [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-35.16113272245833%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] The main feature of the malware is the VNC allows attackers to communicate with the interface of the infected device in real time, enabling the malware to perform anything on the infected device, i.e., PII.

[{"selector":"#anim-e0513cec-53e3-4900-be8f-8415a5e0da89","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-5d3eecd4-257f-494a-ad76-8b232810f310","keyframes":{"transform":["translate3d(0px, 145.41446%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-984408db-ce4d-4a68-89a1-7d13d1d825cd","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-4b1f0b7a-97a2-411a-a446-fd3bf419a545","keyframes":{"transform":["translate3d(0px, 163.75904%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-51e22bfb-0f90-4bc5-b965-3c46cb7b6561 [data-leaf-element=\"true\"]","keyframes":{"transform":["translate(0%, 0%) scale(1.5)","translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"forwards"}] A File Manager command turns the malware into a file manager & the attackers get the record of all the files stored in the file manager and download the file of their liking.

[{"selector":"#anim-249105b6-e082-4395-96c3-19a7865bb90e","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-d6b69bf9-4fd2-4d32-b824-e249ffcfb550","keyframes":{"transform":["translate3d(0px, 146.14697%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-abd7c19d-c873-4279-bd06-253dfcb4eda0","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-17f8feaf-70ed-47c1-abed-e335eead587c","keyframes":{"transform":["translate3d(0px, 161.88991%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-c9f1de07-c2f7-4c47-9c2f-4aebe48d819d [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-36.45193905224423%, 0, 0) translate(-25%, 0%) scale(1.5)","translate3d(0%, 0, 0) translate(0%, 0%) scale(1)"]},"delay":0,"duration":2000,"fill":"forwards"}] The malware uses a Geolocation tracking mechanism help malware to get a hold of the victim's location by exploiting the ‘Access Fine Location’ permission.

[{"selector":"#anim-f794706b-ff22-44d6-949d-e1f943978b93","keyframes":{"opacity":[0,1]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-ed3aa500-07e5-468e-b386-9cc4beb69e6f","keyframes":{"transform":["translate3d(0px, 139.73766%, 0)","translate3d(0px, 0px, 0)"]},"delay":100,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-5cc168e8-48a5-4415-961b-6e63856a267e","keyframes":{"opacity":[0,1]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-0017a04d-396a-4005-a57c-e541ce228bb4","keyframes":{"transform":["translate3d(0px, 148.23427%, 0)","translate3d(0px, 0px, 0)"]},"delay":200,"duration":600,"easing":"cubic-bezier(0.2, 0.6, 0.0, 1)","fill":"both"}] [{"selector":"#anim-95d25ef8-e7c3-421a-ba37-6d8e4d07e2cd [data-leaf-element=\"true\"]","keyframes":{"transform":["translate3d(-22.23314720759742%, 0, 0)","translate3d(0%, 0, 0)"]},"delay":0,"duration":2000,"easing":"cubic-bezier(.3,0,.55,1)","fill":"both"}] The countries in which Hook targeted banking app users - the United States, Spain, Australia, & more. However, one important thing to note here is that Hook targets worldwide.

Cybercriminals Selling 'Hook' Android Malware for Remote Control of Smartphones

Read the full story here.