The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Hook Android Banking Trojan

Jan 31, 2023 12:25:40 PM / by The Hivemind

Hook AndroidRelated Families: Ermac
Verticals Targeted:

Executive Summary

Threat Fabric recently reported on Hook, an Android banking trojan that is a fork of Ermac.

Key Takeaways

  • Hook is an Android banking trojan based on Ermac code.
  • The threat actor DukeEugene is behind Hook.
  • Hook has been updated to include multiple features not found in previous variants of Ermac. 

What is Hook?

Hook is a fork of an older Android malware family known as Ermac, an Android banking malware rented out by the threat actor DukeEugene. While multiple Ermac forks exist in the wild, Hook is one of the newly discovered variants and includes the ability to manipulate files on a device and create a remote session, allowing a threat actor to interact with the victim system’s UI. Researchers at Threat Fabric attribute Hook to DukeEugene as well. Hook has primarily been found in Google Chrome clone APKs and has been observed targeting entities in the US, Spain, Australia, Poland, Canada, Turkey, the UK, France, Italy, and Portugal.

Most of Hook’s code base seems to come directly from Ermac and includes commands in Russian. Hook has multiple device takeover (DTO) capabilities and can intercept SMS, contact harvesting, control phone calls, geolocate the victim device, overlay attacks, keylogging, steal 2FA, steal emails and seed phrases, screen streaming, hRAT, evade antivirus detection, and preventing uninstall.

Hook uses AES-256-CBC for encryption in its communication with the C2. Communications are encoded in Base64. Hook also implements WebSocket communication, whereas Ermac only uses HTTP traffic. One of the main differences between Hook and Ermac is the addition of VNC, allowing remote control over the victim's device. Hook also uses Accessibility Services to interact with UI elements, giving it RAT capabilities. While Ermac included the ability to steal seed phrases from multiple crypto wallets, Hook added the ability to steal seed phrases from an additional wallet, SafePal. A final new feature added to Hook is a command to open WhatsApp, allowing Hook to log in and send WhatsApp messages.


PolySwarm has multiple samples of Hook:

















You can use the following CLI command to search for all Hook samples in our portal:

$ polyswarm link list -f Hook

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Banking, Android, RAT, Trojan, Hook, Ermac, DukeEugene

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts