Malware Hook It can remotely control an Android phone

Malware Hook: It can remotely control an Android phone – CCM

A dangerous malware is once again on Android! Dubbed Hook, it allows you to take control of a cell phone to steal sensitive information and targets both banking apps and cryptocurrency wallets.

New malware is wreaking havoc on Android – what a surprise! Dubbed Hook (Hook in French, like the famous pirate captain in Peter Pan), it was discovered by ThreatFabric researchers on a black market specializing in piracy, where it was put up for sale by DukeEugene. The latter is no stranger, having previously developed the Emac Trojan, a hugely popular piece of malware that uses superimposed login pages to siphon off victims’ authentication information, and therefore banking information, from more than 467 banking applications. The two viruses also share many similarities in their code, making Hook a sort of evolution of Emac. His goal: to enable hackers to remotely control an Android cell phone.

Malware Hook: a more dangerous version of Emac

Hook is an extremely malicious malware. Once installed on the victim’s smartphone, the virus demands access to Android’s accessibility features, which are designed for the visually impaired. Once this is accomplished, he takes control of the terminal without his target noticing. However, its novelty compared to Emac is that it embeds the Virtual Network Computing (VNC) module, which gives the hacker the ability to interact in real time with the compromised device’s interface. This allows it to establish a connection between the operating system and remote servers, which allows it to perform the following actions:

  • Interact with the smartphone’s Android interface
  • fill in text fields,
  • Intercept SMS, especially confirmations
  • Take a screenshot
  • Simulate a click on a specific text element
  • Simulate a key press
  • Unlock the device
  • Scroll up and down
  • Find the victim.

Malware Hook It can remotely control an Android phone

A screenshot of the ad feed panel interacting with the UI. © ThreatFabric

Malware Hook: Target of banking and cryptocurrency applications

All these commands make stealing confidential information easier. But that’s not all, because one command turns the malware into a file manager, allowing hackers to get a list of all files and images stored on the device and download the ones useful to them. It also preys on cryptocurrency owners by extracting the recovery phrases that secure a digital wallet — much like a password. The virus attacks many popular wallets, namely:

  • Bitcoin wallet
  • Trust Crypto & Bitcoin Wallet
  • Mycelial Bitcoin Wallet
  • Blockchain wallet. Bitcoin, Bitcoin Cash, Ethereum
  • samurai purse,
  • Coinbase Wallet Crypto Wallet & DApp Browser
  • Metamask: Buy, send and exchange crypto
  • SafePal Crypto Wallet BTC NFTs.

For more “simple” applications, it targets both electronic mailboxes, banking applications such as My Accounts BNP Paribas, CIC or Axa Banque France, smartphone security and cleaning apps, Airbnb or even Tinder – the rest of the list of attacked apps from Malware find You at the end of the article by TheatFabruic. Finally, Hook can also infiltrate its victim’s WhatsApp account to send messages on their behalf, allowing hackers to spread viruses and other phishing links.

The United States, Australia, Canada, United Kingdom, and France are among the top 10 countries most affected by Hook, but other regions have also been seriously affected by the malware. At the moment there is no real way to protect yourself from it, other than taking the usual precautions. Therefore, it is better to download apps only from trusted sources and from well-known developers and not to follow suspicious links sent via messages. It is also recommended to limit the number of applications installed on your phone to the bare minimum and uninstall them as soon as they are no longer needed. When an application asks for special permissions that it doesn’t theoretically need – for example, a solitaire game theoretically doesn’t need user geolocation – it’s better to be careful. Finally, it’s best to have an antivirus running in the background to double check that there’s no malicious behavior at work in the background…