Cybercriminals will gain full control over the infected smartphone.
The group behind the BlackRock and ERMAC banking trojans for Android has released yet another piece of malware called "Hook", which provides new capabilities for accessing files and creating a remote interactive session. Attackers offer to use this software to everyone for a "modest" $ 7,000 per month.
ThreatFabric, in its report, described Hook as a new fork of the ERMAC trojan that has all the features of its predecessor, but with the addition of remote access tools (RAT). Thus, due to the functionality and similar structure, the researchers assigned Hook to the Octo and Hydra Trojan families.
The majority of financial applications targeted by the malware are located in the US, Spain, Australia, Poland, Canada, Turkey, UK, France, Italy, and Portugal.
The Hook Trojan is the development of an attacker known as DukeEugene. The virus is the latest evolution of ERMAC, in turn based on the Cerberus Trojan. These malware appeared in 2020 and 2021.
“ERMAC has always lagged behind Hydra and Octo in terms of features and functionality,” said Dario Durando, researcher at ThreatFabric.
Like other similar Android malware, Hook uses the Android Accessibility Services APIs to carry out overlay attacks and collect all kinds of sensitive information from devices, such as contacts, call logs, keystrokes, two-factor authentication (2FA) tokens, and even messages from messengers.
Other key features that have been added to Hook include the ability to remotely view and interact with the screen of an infected device, receive files, extract crypto wallet passphrases, and track the location of a smartphone. This kind of functionality blurs the line between spyware and banking malware.