Two new strains of malware on Android could allow attackers to remotely access devices and carry out phishing attacks, interact with the infected device in real-time, and steal data.
The first one is called Hook. It appears to be based on a banking Trojan called Ermac, which allowed attackers to steal credentials from banking and cryptocurrency apps. ThreatFabric researchers studied the code of Hook to find similarities between the two types of malware. It is currently being sold as a malware tool for rent at around $7,000 per month.
Unlike Ermac, Hook includes a VNC module that enables interaction with the infected device in real-time. This means the attacker could essentially do anything they wanted on the device, although it would be more challenging on devices with newer versions of the operating system. This is because accessibility services are required for Hook’s VNC to function for the attacker.
But Hook can also allow the attacker to view a complete list of files on the device. They could also track the device through geolocation and messages from popular apps like WhatsApp. Since Hook is distributed through the Google Chrome APK, you can basically avoid infection by only installing apps from the Google Play Store.
The second malware is called Roaming Mantis. It is unique due to its inclusion of a DNS changer, which allows the attacker to modify the DNS settings on vulnerable Wi-Fi routers, thereby enabling the malware to spread to other devices from the vulnerable router. Vulnerable routers are identified by their model numbers on a network, and once they are detected, the malware changes the DNS settings. It then hijacks the DNS settings through this HTTP request, so that clients connected to the Wi-Fi router would be redirected to malicious websites that could be used for phishing or additional malware downloads.
Roaming Mantis has been around for several years, but its latest version focuses on Wi-Fi routers and spreads through SMS phishing messages. Like Hook, it also prompts the user to install a malicious APK. If it detects a vulnerable router, it will attempt to access the Wi-Fi router’s administration panel with default credentials. Therefore, remember to change the credentials of your router if you haven’t done so already. To avoid Roaming Mantis, once again, do not install APKs on your Android phone, only install apps from the Google Play Store, and do not click on links sent through SMS.
