Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Recycled Source Code Used to Create New MobiHok Android RAT

MobiHok is a new Android RAT marketed by the actor known as mobeebom. It is a recycled version of the older, established SpyNote RAT.

MobiHok is a new Android RAT marketed by the actor known as mobeebom. It is a recycled version of the older, established SpyNote RAT.

Researchers from the Israeli threat intelligence firm SenseCy took notice when they detected a new mobeebom sales thread for MobiHok v4 on an English hacking forum. Further research suggested that mobeebom, under various pseudonyms, is an Arab-speaking actor active on numerous Arab-speaking forums. 

MobiHok is available on a surface website, described as an Android Remote Access Tool and given an alternative name as MobeRat, together with the standard declaration that it is not to be used for illegal purposes. mobeebom’s forum activity makes clear that this is not the real purpose.

Mobeebom also markets the malware through YouTube, where he has three separate MobiHok video demonstrations. These comprise two general views and one specifically demonstrating a Facebook authentication bypass. The earliest video was posted seven months ago, while the Facebook bypass video was posted two months ago.

“However,” say the researchers in a blog report, “from a research we conducted into mobeebom’s activity in the underground communities, and the analysis of a sample of the malware builder we retrieved, it is apparent that the threat actor based MobiHok on the source code of another prominent Android RAT named SpyNote, which was leaked online in 2016.”

In 2016, Palo Alto reported that the SpyNote builder had been leaked on several malware discussion forums. Today, SpyNote can be purchased from a surface website, or downloaded for free from a forum. The forum describes it as “a free Android RAT (Remote Administration Tool/Remote Access Trojan) program developed based on Java. Its Server is written in Java, and the Client controller is written in Visual Basic .NET.”

The SenseCy researchers say of the new RAT, “The initial findings of our technical analysis confirmed that mobeebom probably obtained SpyNote’s source code, made some minor changes, and now resells it as a new RAT under the name MobiHok.” His declared intention is to make MobiHok the top Android RAT on the market.

The capabilities of MobiHok include access to files, access to the camera, keylogging, control over SMS and contacts, the ability to bypass both Samsung security mechanisms and Google Play mechanisms, and to bind itself to a separate APK app. The latter capabilities make the transition from a dubious parental remote access tool to a fully-fledged remote access trojan more easy.

Related: Learn About OT Attack Recylcing at SecurityWeek’s ICS Cyber Security Conference

Related: Threat Actor Targets Libyans with Malware via Facebook 

Related: Fake Netflix App Takes Control of Android Devices 

Related: SonicSpy Spyware Found in Over One Thousand Android Apps 

Related: New LuckyCat-Linked RAT Targets Users in Tibet

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...