Overlay attacks involve placing a tricky layer over legitimate applications on mobile devices like Android. This malicious overlay can mimic the interface of trusted apps, tricking users into entering sensitive information.
Security analysts at NetCraft recently discovered that HookBot malware uses overlay attacks to impersonate popular brands to steal data.
HookBot is a banking Trojan that aims to steal sensitive information like “banking credentials,” “passwords,” and “personal data,” from victims.
It spreads via malicious apps that mimic legitimate brand-owned software found on “unofficial app stores.”
Strategies to Defend Websites & APIs from Malware Attack -> Free Webinar
HookBot Malware Steals Data
Not only that even it also have the ability to evade the security checks on official marketplaces like “Google Play.”
Once installed, the “HookBot-infected app” establishes communication with a “C2” server that allows it to “receive updates,” “new payloads,” and “gather device information,” before employing various attack techniques to extract user data.
It primarily uses overlay attacks that create a visual overlay mimicking the interface of a “legitimate app” to trick the user into entering their sensitive information to steal their data by “keylogging,” “screen capturing,” and “SMS interception” to gain full access to the victim’s accounts, reads NetCraft report.
HookBot-infected apps often impersonate well-known brands with the malware capable of “renaming” and “disguising itself” as other legitimate applications to evade detection, and features a “builder tool” that enables threat actors with minimal technical knowledge.
This enables it to generate “new malware samples” and “adapt them to evade security measures.”
In the malware supply chain, the researchers observed the distribution of “HookBot” via platforms like “Telegram,” where threat actors offer different “purchase options” and “boast about the built-in anti-security functionality” to help their campaigns avoid detection.
The infected apps leverage HTML to quickly update overlays from the C2 server without requiring app updates.
The C2 server abuses the victim’s device to automatically send “WhatsApp messages” to a number of the threat actor’s preferences by exploiting Android’s accessibility permissions to automate the “send” functionality.
This worm-like behavior enables the malware to self-propagate across devices.
Different purchase options are offered by the operators of “HookBot”:-
Moreover, the malware developers use obfuscation tools like “Obfuscapk” to make their code more difficult to reverse engineer by obstructing “analysis” and “detection efforts.”
While these obfuscation techniques can also protect legitimate apps, when exploited illicitly, they enable malware authors to hide their malicious intent and proliferate more effectively.
Despite awareness and disruption efforts, this HookBot malware continues to evolve, which shows its “resilience” and “effectiveness.”
The multi-channel supply chain enables it to spread globally and affect more organizations and their customers.
Besides this, the availability of tools that enable low-skill threat actors to build and deploy such malware will only heighten this trend.
It shows the need for robust security solutions that can quickly detect and block malicious activity targeting specific brands.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!