Expanded Android Trojan Version now Includes Ransomware Strategies
A new variant of the Hook Android banking Trojan has emerged, showcasing an evolution in traditional banking malware. The malware now incorporates spyware and ransomware tactics, making it a growing concern for both enterprises and individuals.
The updated Hook malware boasts several new features. It allows for real-time screen-streaming, enabling full monitoring of infected devices. Transparent overlays are used to capture user gestures, ensuring the malware remains undetected.
One of the most alarming new features is a ransomware overlay that displays a payment demand with a cryptocurrency wallet address controlled by attackers. Fake credit card forms, mimicking services like Google Pay, are used to harvest payment information.
The malicious files delivered are not just for stealing passwords but for installing powerful remote access tools that give attackers long-term control. The malware can bypass lock screens using deceptive PIN and pattern screens.
Hook's latest functions also include fake NFC scanning prompts designed to steal sensitive data. There are traces of Telegram-based functionality under development in the Trojan, though these features remain incomplete.
Code references found in the Trojan suggest its developers may add RabbitMQ for more resilient command-and-control (C2) communications. The new version supports 107 remote commands, with 38 being newly introduced.
The Hook campaign is operating on a global scale. Unlike previous campaigns, Hook's operators are now spreading malicious APK files through GitHub repositories. Other malware families, including Ermac, Brokewell, and various SMS spyware strains, are also being distributed through GitHub repositories.
Zimperium has collaborated with industry partners to remove at least one GitHub repository associated with the distribution of the malware. As Sclafani concluded, the attack process designed to secretly install a persistent malicious payload inside networks makes Hook a significant threat that requires immediate attention.
