A new analysis of the Android banking trojan known as Hook has revealed that it’s based on its predecessor called ERMAC.
“The ERMAC source code was used as a base for Hook,” NCC Group security researchers Joshua Kamp and Alberto Segura said in a technical analysis published last week.
“All commands (30 in total) that the malware operator can send to a device infected with ERMAC malware, also exist in Hook. The code implementation for these commands is nearly identical.”
Hook was first documented by ThreatFabric in January 2023, describing it as a “ERMAC fork” that’s offered for sale for $7,000 per month. Both the strains are the work of a malware author called DukeEugene.