Hackers can remotely take control of your Android phone with a new ‘Hook” Android malware

Cybercriminals are selling a new Android malware called Hook, which can be remotely taken over by mobile devices using virtual network computing (VNC).

The creator of , an Android trojan that steals credentials via 467 crypto and banking apps through overlaid login pages, is promoting the new malware.

Hook asserts that the malware is new and was created from scratch. ThreatFabric researchers dispute this claim and have found significant code overlaps between Ermac and ThreatFabric.

ThreatFabric states that Hook includes most of Ermac’s code base so it is still a banking trojan. It also contains many unnecessary parts that are not found in older strains, which indicate its re-use of code in large quantities.

A more dangerous Android malware

Hook, despite its roots, is an evolution from Ermac and offers a wide range of capabilities, making it more dangerous to Android users.

Hook has a new feature: Hook offers WebSocket communications in addition to the HTTP traffic that is used only by Ermac. Network traffic can still be encrypted with an AES256-CBC hardcoded secret.

However, the VNC module, which allows threat actors to communicate with the device’s user interface in real time, is the highlight.

Hook’s author promoting the new VNC system


Hook’s new system allows Hook’s operator to carry out any operation on the device from PII extraction to monetary transactions.

ThreatFabric states that Hook now has the ability to complete full DTO and complete the full fraud chain from transaction to PII exfiltration, along with any intermediate steps without the use of additional channels.

This type of fraud is harder to spot by fraud scoring engines. It is the key selling point for Android bankers.”

Hook’s VNC is only available to those who have access to the Accessibility Service. This can be difficult for users of Android 11 and later.

These actions can be performed by Hook’s (and Ermac’s), new commands:

  • Start/stop RAT
  • Make a particular swipe gesture
  • Click here to see a screen capture
  • Simulate clicking on a specific text item
  • Lock the device
  • Scroll down/up
  • Simulate an extended press conference
  • Simulate clicking at a particular coordinate
  • Clipboard value set to specific coordinates value
  • Simulate clicking on a UI component with a particular text value
  • A UI element value can be assigned to a text

A “File Manager”, command transforms the malware into an file manager. This allows threat actors to access a complete list of files on the device, and then download the files they choose.

ThreatFabric also found another command: WhatsApp. Hook was able to log messages on the popular IM application and allow operators to communicate with victims via Hook’s account.

Hook operators can now track victims’ exact location using a geolocation system that abuses the permission “Access Fine Location”.

Tracking the victim’s precise location

(Treat Fabric)

Targeting worldwide

Hook’s targeted banking applications have an impact on users in the United States of America, Spain, Australia and Poland as well as Canada, Turkey, Turkey, France, Italy and Portugal.

Number of banking apps per country targeted by Hook


It is important to remember that Hook’s global targeting capabilities extend to the whole world. ThreatFabric provided a list of all Hook apps in its .

At this time, Hook is distributed as a Google Chrome APK under the package names “com.lojibiwawajinu.guna,” “com.damariwonomiwi.docebi,” “com.damariwonomiwi.docebi,” and “com.yecomevusaso.pisifo,” but of course, this could change at any moment.

You should not install any apps other than those from Google Play Store, or provided by your employer. This will prevent you being infected with Android malware.