New ‘HookBot’ Malware Masquerades as Top Brands to Steal Your Data

HookBot, a mobile banking Trojan, exploits Android devices to steal sensitive financial and personal data. As part of a larger cybercrime network, it poses a significant global threat due to its stealthy nature and ability to bypass security measures.

Malicious apps, often disguised as legitimate software, are installed on victim devices, which establish communication with a C2 server to receive updates and exfiltrate user data through various attack techniques, including app overlays and surveillance. 

Overlay attacks exploit legitimate app interfaces by superimposing malicious overlays, tricking users into inputting sensitive data like login credentials or payment information, which is then harvested by attackers.

It is a sophisticated mobile malware that stealthily records keystrokes, captures screenshots, and intercepts SMS messages, including 2FA codes, to compromise user devices and accounts, potentially leading to significant data breaches and financial loss.

App overlay mimicking the Tesco Mobile login screen. 

HookBot malware, disguised as popular apps, exploits device permissions to gain control and then disguises itself as Chrome, potentially impacting a wide range of Android users.

A Netcraft discovery revealed a user-friendly malware builder tool, which simplifies the creation of new malware variants with customizable configurations and obfuscation techniques, lowering the technical barrier for malicious actors.

Frame-by-frame showing the HookBot builder panel interface. 

Telegram channels are being used to distribute HookBot, a sophisticated trojan boasting anti-security features. Malware distributors on Telegram compete aggressively, discrediting rivals to gain market share and enhance their reputation.

The infected apps leverage HTML to dynamically update overlays without app updates, allowing remote control, while the C2 server exploits WhatsApp and accessibility permissions to automate message sending to specified numbers, demonstrating the app’s potential for malicious activity.

etHTML prompt in a HookBot app source code, which pulls content from a Document Object Model (DOM)

The source code reveals that the HookBot app can autonomously replicate itself using WhatsApp, spreading to other devices, and also the app employs obfuscation techniques to evade detection, making it more difficult to analyze and mitigate.

As a result of its adaptable capabilities and the availability of low-skill tools for its deployment, HookBot, a malware that is both persistent and effective, continues to develop and spread. 

Because of this, organizations all over the world face a significant threat, which necessitates the implementation of preventative security measures to lessen the impact of the threat. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here