Hook: New Strain of ERMAC Trojan Steals Banking Data - How to Protect App Users
A new strain of the banking trojan ERMAC has been identified by researchers at the security firm ThreatFabric. The new Android malware strain has been named Hook. This sophisticated malware is designed to steal sensitive information from victims and has been active since January 2023. According to Threat Fabric, DukeEugene, the original actor of ERMAC, published a post proposing to sell the new banking malware for $7,000 per month.
Hook is a variation of the ERMAC malware family, which has been active since 2021, and which is a modular malware framework capable of performing a wide range of malicious activities, such as stealing personal identifiable information (PII), taking screenshots, and exfiltrating files.
How Hook malware can take control of an infected device to steal banking and financial data
The Hook strain, derived from the original ERMAC source code, has several advanced capabilities that make it particularly dangerous for Android devices. The most important addition in terms of capabilities comes in the form of what hackers call VNC (virtual network computing). VNC is a specific implementation of a screen-sharing application that provides remote control over the infected device. Hook is capable of remote access and full device take-over (DTO) through the use of remote access tooling, or RAT capabilities.
This is implemented using the permissions granted by the device’s accessibility services to interact with the user interface elements required to perform a wide array of operations. As a result, attackers can take control of an infected device, allowing them to execute commands, steal data, and perform other malicious activities. The new malware can also simulate clicks, keypresses, long presses, and gestures, access text boxes, unlock devices, and geolocate users. Hook also comes with WebSocket communication features and encrypts its traffic using AES-256-CBC with a hardcoded key.
The impact of Hook on banking and financial services can be severe. If an Android operating system users’ phone is infected with Hook, cybercriminals can potentially gain access to banking credentials, steal sensitive financial data, and even initiate fraudulent banking app transactions on the user's behalf.
What organizations can do to protect against Hook
To protect Android apps against Hook and other strains of ERMAC, organizations should implement a multi-layered mobile security approach that includes application shielding. Application shielding is a security technique that adds an additional layer of protection to mobile apps. It operates on two fronts:
- (1) It makes it more difficult for threat actors to reverse-engineer or tamper with the app's code by applying a set of techniques including obfuscation and data encryption.
- (2) It adds runtime application self-protection (RASP), making it hard for malware to interact with the app while it is running on the phone.
In the case of Hook, the obfuscation offered by application shielding will make it difficult for attackers to analyze and understand the app's code and functionality, which in turn makes it harder for them to write targeted attack scripts. The RASP aspect of shielding will add a layer of protection that can detect any attempt by the malware to access sensitive data or perform malicious activities, in real time.
OneSpan Mobile App Shielding blocks untrusted screen readers at runtime and exits the mobile application safely. Further sensitive operations are also blocked as a precaution. App Shielding is an effective tool in protecting mobile apps from Hook and other malware, and seamlessly integrates into existing apps to detect, mitigate, and protect against runtime attacks, such as code injection, debugging, emulation, screen mirroring, and app hooking.
By adding this additional layer of protection to mobile apps, organizations can significantly reduce the risk of a successful attack and increase their overall security posture. The application stays protected even on compromised devices and against unknown attacks.
As an example of how this works in practice, BankID has partnered with OneSpan to enhance the security of Norway's digital identity using OneSpan Cloud Authentication with Mobile Security Suite and App Shielding solutions. OneSpan's multi-factor authentication provides security for online and mobile applications through a multilayered defense--in-depth approach that ensures strong customer authentication.
Additionally, App Shielding protects the mobile application code, secrets, and personal information from bad actors, even in cases of a new malware such as Hook.
Why the strongest defense against malware is a multilayered approach
App Shielding is one important part of a comprehensive mobile security strategy, which should be implemented in conjunction with other cybersecurity measures such as strong transaction authentication and authorization workflows, regular security audits, vulnerability scanning, and data protection.
Hook is a new strain of ERMAC that poses a significant threat to organizations, with advanced capabilities that make it difficult to defend against. It is essential that organizations take proactive steps today to protect their systems and data using a multi-layered security approach. This should include application shielding as well as other security measures such as strong customer authentication and proactive device risk assessment.
OneSpan’s Mobile App Shielding technology can be implemented within minutes to help protect apps against Hook and other strains of ERMAC.