"The mobile security company said the overlay is remotely initiated when the command "ransome" is issued by the C2 server. The overlay can be dismissed by the attacker by sending the "delete_ransome" command. HOOK is assessed to be an offshoot of the ERMAC banking trojan, which, coincidentally, had its source code leaked on a publicly accessible directory over the internet."
"Like other banking malware targeting Android, it's capable of displaying a fake overlay screen on top of financial apps to steal users' credentials and abuse Android accessibility services to automate fraud and commandeer devices remotely. Other notable features include the ability to send SMS messages to specified phone numbers, stream the victim's screen, capture photos using the front-facing camera, and steal cookies and recovery phrases associated with cryptocurrency wallets."
A new HOOK Android banking trojan variant can deploy full-screen ransomware-style overlays that present dynamic extortion messages with wallet addresses and amounts supplied by a command-and-control server. The overlay is remotely initiated by a C2 command and can be dismissed by a separate C2 instruction. The malware is an offshoot of ERMAC and uses fake overlays over financial apps plus Android accessibility abuse to harvest credentials and automate fraud. Additional capabilities include sending SMS, streaming the screen, taking front-camera photos, and stealing cookies and cryptocurrency recovery phrases. The latest build supports 107 remote commands, including transparent gesture-capturing overlays, fake NFC screens, and deceptive prompts to gather lockscreen PINs or patterns.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]