NCC Group researchers discovered that the Hook Android banking trojan was developed using the source code of the ERMAC backdoor, reports The Hacker News. Aside from featuring all 30 commands used by ERMAC, the Hook malware also has up to 38 new commands, including screen streaming and user interface interactions for device takeovers, photo capturing, Google login session-related cookie exfiltration, and expanded cryptocurrency wallet recovery seed targeting, as well as self-propagation through SMS delivery to various numbers, according to NCC Group. Both malware strains, which had most of the command-and-control servers in Russia, the Netherlands, the U.K., the U.S., and Germany, were also found to support keystroke logging and Android accessibility service exploitation for overlay attacks, as well as clipboard event tracking. While Hook was disrupted in April, the sale of its source code less than a month later suggests the potential development of new variants by other threat actors, said researchers.