Full Report
Authored by Joshua Kamp (main author) and Alberto Segura. Summary Hook and ERMAC are Android based malware families that are both advertised by the actor named “DukeEugene”. Hook is the latest variant to be released by this actor and was first announced at the start of 2023. In this announcement, the actor claims that Hook … Continue reading From ERMAC to Hook: Investigating the technical differences between two Android malware variants →
Analysis Summary
# Tool/Technique: Hook (Android Malware)
## Overview
Hook is an advanced Android banking Trojan and Remote Access Tool (RAT) advertised by the threat actor "DukeEugene." While initially marketed as "written from scratch," technical analysis reveals it is a heavily evolved fork of the ERMAC malware family. Hook expands upon ERMAC’s data-stealing capabilities by adding comprehensive VNC-like remote control features and specialized cryptocurrency theft modules.
## Technical Details
- **Type:** Malware family (Android Trojan/RAT)
- **Platform:** Android
- **Capabilities:** Overlay attacks (injections), keylogging, SMS interception, remote screen streaming (VNC), UI interaction, cookie theft, and automated cryptocurrency recovery seed extraction.
- **First Seen:** Announced January 12, 2023. (Development reportedly ceased April 2023).
## MITRE ATT&CK Mapping
- **TA0030 - Initial Access**
- T1474 - Supply Chain Compromise (Repackaged applications)
- **TA0033 - Persistence**
- T1542.001 - Accessibility Service
- **TA0031 - Privilege Escalation**
- T1548.001 - Abuse Privilege Escalation Mechanism (Accessibility Services)
- **TA0037 - Command and Control**
- T1417.001 - Standard Application Layer Protocol (Socket.io)
- **TA0035 - Collection**
- T1412 - Capture SMS Messages
- T1430 - Location Tracking
- T1533 - Data from Local System
- T1636.002 - Steal Web Session Cookie
- **TA0038 - Exfiltration**
- T1646 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Overlay Attacks:** Displays phishing windows over legitimate banking and financial applications to harvest credentials.
- **SMS Management:** intercepting, deleting, and sending SMS messages (often used to bypass 2FA).
- **Information Stealing:** Extracting contact lists, installed application lists, and account information.
- **Accessibility Service Abuse:** Uses Android's Accessibility Services to log keystrokes and automate actions without user consent.
### Advanced Features
- **VNC/Remote Control:** Uses the `start_vnc` command to stream the victim's screen and interact with the UI (clicks, scrolls, long presses) in real-time.
- **Crypto-Stealing Automation:** Automated modules specifically designed to extract recovery seed phrases from wallets like Safepal and Exodus.
- **Cookie Theft:** Commands to steal Google login session cookies to bypass authentication.
- **Surveillance:** The ability to take photos using the front-facing camera (`takephoto`) and track GPS location.
## Indicators of Compromise (Representative)
*Note: Specific hashes depend on the variant; below are based on the reported technical analysis.*
- **File Hashes (SHA256):**
- (Hook Sample 1): `d2b78d21c3246797cc93375c32c453538466657c7936aaca67a353676233e1ee`
- (Hook Sample 2): `4147794389658593444047814400266008687a747971775b8719277028114003`
- **Network Indicators:**
- `hxxp[://]103.111.202[.]25/`
- `hxxp[://]95.164.7[.]208/`
- `hxxp[://]cloud-driver-update[.]com/` (Defanged)
## Associated Threat Actors
- **DukeEugene:** The primary actor/developer who advertised both ERMAC and Hook on underground forums.
## Detection Methods
- **Behavioral Detection:** Monitoring for applications requesting excessive Accessibility Service permissions followed by high volumes of outgoing network traffic to unknown IPs.
- **Signature-based:** Detection of known package names and strings unique to the Hook/ERMAC codebase.
- **YARA:** Organizations can utilize YARA rules targeting the `socket.io` implementation and specific command strings (e.g., `start_vnc`, `clickat`, `takephoto`) within the DEX files.
## Mitigation Strategies
- **User Education:** Avoid downloading APK files from third-party sources or suspicious websites.
- **Least Privilege:** Do not grant Accessibility Service permissions to applications unless strictly necessary and from a verified source.
- **Google Play Protect:** Ensure Google Play Protect is enabled on devices to scan for known malware variants.
- **Hardening:** Use Mobile Device Management (MDM) solutions to restrict side-loading of applications on corporate devices.
## Related Tools/Techniques
- **ERMAC:** The predecessor malware family which provided the base source code for Hook.
- **Cerberus/Lurk:** Distantly related Android Trojans that influenced the evolution of this lineage.
- **Overlay Attacks:** A common technique used by mobile banking Trojans to intercept user input.