Security Experts:

Recycled Source Code Used to Create New MobiHok Android RAT

MobiHok is a new Android RAT marketed by the actor known as mobeebom. It is a recycled version of the older, established SpyNote RAT.

Researchers from the Israeli threat intelligence firm SenseCy took notice when they detected a new mobeebom sales thread for MobiHok v4 on an English hacking forum. Further research suggested that mobeebom, under various pseudonyms, is an Arab-speaking actor active on numerous Arab-speaking forums. 

MobiHok is available on a surface website, described as an Android Remote Access Tool and given an alternative name as MobeRat, together with the standard declaration that it is not to be used for illegal purposes. mobeebom's forum activity makes clear that this is not the real purpose.

Mobeebom also markets the malware through YouTube, where he has three separate MobiHok video demonstrations. These comprise two general views and one specifically demonstrating a Facebook authentication bypass. The earliest video was posted seven months ago, while the Facebook bypass video was posted two months ago.

"However," say the researchers in a blog report, "from a research we conducted into mobeebom's activity in the underground communities, and the analysis of a sample of the malware builder we retrieved, it is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016."

In 2016, Palo Alto reported that the SpyNote builder had been leaked on several malware discussion forums. Today, SpyNote can be purchased from a surface website, or downloaded for free from a forum. The forum describes it as "a free Android RAT (Remote Administration Tool/Remote Access Trojan) program developed based on Java. Its Server is written in Java, and the Client controller is written in Visual Basic .NET."

The SenseCy researchers say of the new RAT, "The initial findings of our technical analysis confirmed that mobeebom probably obtained SpyNote's source code, made some minor changes, and now resells it as a new RAT under the name MobiHok." His declared intention is to make MobiHok the top Android RAT on the market.

The capabilities of MobiHok include access to files, access to the camera, keylogging, control over SMS and contacts, the ability to bypass both Samsung security mechanisms and Google Play mechanisms, and to bind itself to a separate APK app. The latter capabilities make the transition from a dubious parental remote access tool to a fully-fledged remote access trojan more easy.

Related: Learn About OT Attack Recylcing at SecurityWeek's ICS Cyber Security Conference

Related: Threat Actor Targets Libyans with Malware via Facebook 

Related: Fake Netflix App Takes Control of Android Devices 

Related: SonicSpy Spyware Found in Over One Thousand Android Apps 

Related: New LuckyCat-Linked RAT Targets Users in Tibet

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.