A video circulating on the internet shows a person making a Pix, and after entering the password, the name of the recipient changes. This scene was shared on Twitter by user “FavelacaiunFc”, showing an Android phone that is probably infected with some malware. Coincidentally, a week ago it was reported by the website BleepingComputer that a new malware for Android was being sold by cybercriminals.
Called “Hook”, the malware was created with the aim of breaking into banking and cryptographic applications through the use of overlay login pages. This virus was created by the same person who launched Earmac, a banking trojan that reached 467 apps, stealing account credentials and cryptographic wallets.
Pix changing recipient: “hook” malware could be to blame
The “Hook” banking trojan may be to blame for changing the recipient of the Pix made by the person in the video shared on Twitter.
Be very careful who has a bank account pic.twitter.com/isrZhQgAnr
— @INSTA: FavelaCaiuNoFace (@FavelaCaiuFc) January 26, 2023
According to BleepingComputer, the malicious agent is capable of performing the following actions:
- Start/Stop RAT
- Perform a specific swipe gesture
- Take a screenshot
- Simulate click on specific text item
- Simulate a keystroke (HOME/BACK/RECENTS/LOCK/POWERDIALOG)
- unlock the device
- Scroll up/down
- Simulate a long press event
- Simulate click on a specific coordinate
- Set clipboard value for a UI element with specific coordinate value
- Simulate clicking on a UI element with a specific text value
- Set a UI element value to specific text
In addition to the points mentioned above, the “file manager” command even transforms the malware in such a way as to allow the attacker to get the list of all files stored on the devices and choose what they want. Security researchers at ThreatFabric say that it is also possible to obtain all WhatsApp messages, allowing the hacker to use the victim’s account to send messages.
The malware is also able to use the geolocation system, allowing access to the exact location of the victim.
According to BleepingComputer, Hook is impacting the most in the following countries right now:
- U.S
- Spain
- Australia
- Poland
- Canada
- Turkey
- UK
- France
- Italy
- Portugal
Hook is currently being distributed as an APK under the package names: “com.lojibiwawajinu.guna”, “com.damariwonomiwi.docebi”, “com.damariwonomiwi.docebi” and “com.yecomevusaso.pisifo”.