Hook Banking Trojan Infect Stored Files in Devices & Create Remote Session

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

A new Android malware known as ‘Hook’ has surfaced in the cybercrime market, and this malware has been developed by the creator (DukeEugene) of Ermac who is now selling it to potential buyers. 

The malware boasts a powerful capability of remotely taking over mobile devices in real time using virtual network computing (VNC). 

This feature makes the malware highly dangerous as it allows the attacker to gain control of the device and access sensitive information without the victim’s knowledge. 

This malware poses a significant threat to users’ personal information and data security. This new malware, Hook is currently being promoted by the creator of the infamous Ermac malware. 

Ermac, an Android banking trojan, is, unfortunately, being sold at a high price of $5,000 per month and is designed to aid malicious actors in stealing credentials from over 467 banking and crypto apps through the use of overlaid login pages. 

Though it’s not yet confirmed, it’s likely that the new malware being promoted has similar capabilities. The author of Hook asserts that this new malware was created from scratch and it boasts several advanced features in comparison to Ermac.

However, researchers at ThreatFabric have expressed skepticism, noting significant resemblances in code between the two malware.

According to ThreatFabric, Hook, the new malware, shares a majority of its code base with Ermac. As a result, Hook can be classified as a banking trojan. 

However, the researchers also point out that Hook contains several components that are present in the older strain of the malware but are not necessary for its operation. This suggests that Hook may have utilized a large amount of re-used code.

Capabilities of Hook Malware

Here below we have mentioned all the key abilities of Hook banking trojan:-

  • Testing phase
  • Push/SMS interception
  • Contact harvesting
  • Call control
  • Geolocation
  • Overlay attack
  • Keylogger
  • 2FA Stealing
  • Email/Seed Phrase stealer
  • hRAT
  • Screen streaming
  • Prevent uninstall
  • AV evasion

Though Hook shares similarities with another malware called Ermac, but it has been improved and made more sophisticated with additional features. 

The origin of Hook is uncertain, but it is considered as an advanced version of Ermac. These added capabilities make it more dangerous for Android users as it is more difficult to detect and remove, making it a formidable threat to the security of Android devices.

In short, Hook is a more potent threat to Android security as compared to Ermac. Hook differs from Ermac in that it supports several new features such as WebSocket communication, which is an additional communication channel to HTTP traffic that Ermac exclusively uses. 

In order to maintain the encryption level of the network traffic, a hardcoded key of AES-256-CBC is used. However, the feature that stands out the most is the ‘VNC’ module that enables threat actors to present their attacks in real time directly to the compromised device’s user interface.

Through this new system, Hook’s operators are able to carry out any operation on the device, including the exfiltration of personal information and the transfer of funds.

Hook Targeted Countries

Ermac, like previous versions, has a very extensive target list, including institutions in nearly every part of the globe. The following countries are affected by Hook’s target banking applications:-

  • The United States
  • Spain
  • Australia
  • Poland
  • Canada
  • Turkey
  • The UK
  • France
  • Italy
  • Portugal

In spite of that, it is crucial to note that Hook’s wide targeting scope covers the entire globe and in fact includes every major country.


As of right now, Hook is only distributed as a Chrome APK package under the following names:-

  • com[.]lojibiwawajinu.guna
  • com[.]damariwonomiwi.docebi
  • com[.]damariwonomiwi.docebi
  • com[.]yecomevusaso.pisifo

The only apps you should install on your Android device are those available from the official store like the Google Play Store or the apps that are supplied by your employer. This will prevent you from becoming infected with Android malware.

Apps outside of these two sources may contain malicious code that can compromise your device and the data stored on it. Additionally, apps from unknown sources may not be regularly updated, leaving them more vulnerable to security threats.

Network Security Checklist – Download Free E-Book