Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Recycled Source Code Used to Create New MobiHok Android RAT

MobiHok is a new Android RAT marketed by the actor known as mobeebom. It is a recycled version of the older, established SpyNote RAT.

MobiHok is a new Android RAT marketed by the actor known as mobeebom. It is a recycled version of the older, established SpyNote RAT.

Researchers from the Israeli threat intelligence firm SenseCy took notice when they detected a new mobeebom sales thread for MobiHok v4 on an English hacking forum. Further research suggested that mobeebom, under various pseudonyms, is an Arab-speaking actor active on numerous Arab-speaking forums. 

MobiHok is available on a surface website, described as an Android Remote Access Tool and given an alternative name as MobeRat, together with the standard declaration that it is not to be used for illegal purposes. mobeebom’s forum activity makes clear that this is not the real purpose.

Mobeebom also markets the malware through YouTube, where he has three separate MobiHok video demonstrations. These comprise two general views and one specifically demonstrating a Facebook authentication bypass. The earliest video was posted seven months ago, while the Facebook bypass video was posted two months ago.

“However,” say the researchers in a blog report, “from a research we conducted into mobeebom’s activity in the underground communities, and the analysis of a sample of the malware builder we retrieved, it is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016.”

In 2016, Palo Alto reported that the SpyNote builder had been leaked on several malware discussion forums. Today, SpyNote can be purchased from a surface website, or downloaded for free from a forum. The forum describes it as “a free Android RAT (Remote Administration Tool/Remote Access Trojan) program developed based on Java. Its Server is written in Java, and the Client controller is written in Visual Basic .NET.”

The SenseCy researchers say of the new RAT, “The initial findings of our technical analysis confirmed that mobeebom probably obtained SpyNote’s source code, made some minor changes, and now resells it as a new RAT under the name MobiHok.” His declared intention is to make MobiHok the top Android RAT on the market.

The capabilities of MobiHok include access to files, access to the camera, keylogging, control over SMS and contacts, the ability to bypass both Samsung security mechanisms and Google Play mechanisms, and to bind itself to a separate APK app. The latter capabilities make the transition from a dubious parental remote access tool to a fully-fledged remote access trojan more easy.

Advertisement. Scroll to continue reading.

Related: Learn About OT Attack Recylcing at SecurityWeek’s ICS Cyber Security Conference

Related: Threat Actor Targets Libyans with Malware via Facebook 

Related: Fake Netflix App Takes Control of Android Devices 

Related: SonicSpy Spyware Found in Over One Thousand Android Apps 

Related: New LuckyCat-Linked RAT Targets Users in Tibet

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.