Security News > 2023 > September > Hook: New Android Banking Trojan That Expands on ERMAC's Legacy

Hook: New Android Banking Trojan That Expands on ERMAC's Legacy
2023-09-18 12:11

A new analysis of the Android banking trojan known as Hook has revealed that it's based on its predecessor called ERMAC. "The ERMAC source code was used as a base for Hook," NCC Group security researchers Joshua Kamp and Alberto Segura said in a technical analysis published last week.

Regardless of these differences, both Hook and ERMAC can log keystrokes and abuse Android's accessibility services to conduct overlay attacks in order to display content on top of other apps and steal credentials from over 700 apps.

A majority of Hook and ERMAC's command-and-control servers are located in Russia, followed by the Netherlands, the U.K., the U.S., Germany, France, Korea, and Japan.

As of April 19, 2023, it appears that the Hook project has been shuttered, according to a post shared by DukeEugene, who claimed to be leaving for a "Special military operation" and that support for the software would be provided by another actor named RedDragon until the customers' subscription runs out.

Subsequently, on May 11, 2023, the source code for Hook is said to have been sold by RedDragon for $70,000 on an underground forum.

The short lifespan of Hook aside, the development has raised the possibility that other threat actors could pick up the work and release new variants in the future.


News URL

https://thehackernews.com/2023/09/hook-new-android-banking-trojan-that.html