The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Hook Android Banking Trojan

Jan 31, 2023 12:25:40 PM / by The Hivemind

Hook AndroidRelated Families: Ermac
Verticals Targeted:
Financial

Executive Summary

Threat Fabric recently reported on Hook, an Android banking trojan that is a fork of Ermac.

Key Takeaways

  • Hook is an Android banking trojan based on Ermac code.
  • The threat actor DukeEugene is behind Hook.
  • Hook has been updated to include multiple features not found in previous variants of Ermac. 

What is Hook?

Hook is a fork of an older Android malware family known as Ermac, an Android banking malware rented out by the threat actor DukeEugene. While multiple Ermac forks exist in the wild, Hook is one of the newly discovered variants and includes the ability to manipulate files on a device and create a remote session, allowing a threat actor to interact with the victim system’s UI. Researchers at Threat Fabric attribute Hook to DukeEugene as well. Hook has primarily been found in Google Chrome clone APKs and has been observed targeting entities in the US, Spain, Australia, Poland, Canada, Turkey, the UK, France, Italy, and Portugal.

Most of Hook’s code base seems to come directly from Ermac and includes commands in Russian. Hook has multiple device takeover (DTO) capabilities and can intercept SMS, contact harvesting, control phone calls, geolocate the victim device, overlay attacks, keylogging, steal 2FA, steal emails and seed phrases, screen streaming, hRAT, evade antivirus detection, and preventing uninstall.

Hook uses AES-256-CBC for encryption in its communication with the C2. Communications are encoded in Base64. Hook also implements WebSocket communication, whereas Ermac only uses HTTP traffic. One of the main differences between Hook and Ermac is the addition of VNC, allowing remote control over the victim's device. Hook also uses Accessibility Services to interact with UI elements, giving it RAT capabilities. While Ermac included the ability to steal seed phrases from multiple crypto wallets, Hook added the ability to steal seed phrases from an additional wallet, SafePal. A final new feature added to Hook is a command to open WhatsApp, allowing Hook to log in and send WhatsApp messages.

IOCs

PolySwarm has multiple samples of Hook:

fc4b08d7809321de578b0bb9f03fe68a9e7d0d4e36558d0b84d13afbea9ddfdc

d191cd24c0ec60fa388133608f4c15152a16a002377f868a4b2a6db04756157d

f0fd6ce0577883cb5fa4beafe0db432725d1fb5a86b1a0e7b5cbf2303afff1df

8d1aabfb6329bf6c03c97f86c690e95723748be9d03ec2ed117376dd9e13faf0

8d79e5711c3c2712f43d2a811dc2492d4a33000968d47fd737c5a278f39f368f

97e75ca1fe87a0ac818fbfd673aa7e8f763753915cf45858b5ca22b95a4f982a

f8485ae52dcacc7895e71e1b7afa18b258fc7cc6f1bb9da9d7342260311faa52

768b561d0a9fa3c6078b3199b1ef42272cac6a47ba01999c1f67c9b548a0bc15

815e50d8fcdee04f06ecc69dceb7306e8f254c36e7c5781ee0fe3ff971707bc9

6062b4490e4ecf2468ef0ab34db9431a5a09a2415a74d7bcb636760194a6a3d6

48f23e5276fed57e2cd5986163f6ea13a0bfcb8bd63c71cf19eb09478f1bd1c8

4df736da6e457f0c88536d8759098bceda3624d1a1c8aee243ace63b31ae552e

cb91b75eaa48b2bb521e6d3c7a0293f2a1bfc95cf254ac9b4d8847926469bfbb

0539eaecf2d2a6cbd3bec519e0ebfb6de7bf2d4d565c343bd0d61f9140faf892

55533397f32e960bdc78d74f76c3b62b57f881c4554dff01e7f9e077653f47b2

c5996e7a701f1154b48f962d01d457f9b7e95d9c3dd9bbd6a8e083865d563622


You can use the following CLI command to search for all Hook samples in our portal:

$ polyswarm link list -f Hook


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Banking, Android, RAT, Trojan, Hook, Ermac, DukeEugene

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts