Zimperium’s zLabs research team has identified a sophisticated new variant of the Hook Android banking trojan, marking a significant escalation in mobile threat sophistication.
This iteration incorporates ransomware-style overlays that display extortion messages, demanding payments via dynamically fetched wallet addresses from the command-and-control (C2) server.
Activated by the “ransome” command, these full-screen overlays embed HTML content directly within the APK, allowing remote dismissal via “delete_ransome.”
Distribution Tactics
The malware further enhances its deception with fake NFC overlays triggered by the “takenfc” command, employing fullscreen WebView to mimic scanning interfaces, poised for future JavaScript injections to exfiltrate sensitive data.
Lockscreen bypass mechanisms are particularly advanced, utilizing deceptive PIN and pattern prompts over transparent overlays to capture credentials, enabling unauthorized access.
The “unlock_pin” command automates this by acquiring WakeLocks, simulating swipe-up gestures, and inputting server-provided PINs with localized confirmation taps.
Additionally, fraudulent phishing overlays, initiated by “takencard,” replicate Google Pay interfaces to steal credit card details through embedded HTML forms, transmitting captured inputs back to the C2.
Building on its foundation of abusing Android Accessibility Services for automated fraud and remote control, Hook v3 now supports an expansive 107 remote commands, including 38 new additions.
These enable stealthy screen-streaming via “start_vnc” for real-time monitoring, transparent overlays for gesture capture with “start_record_gesture,” and programmatic interactions like “onpointerevent” for simulating down, continue, and up gestures.
Distribution has broadened beyond phishing sites to exploit GitHub repositories, where actors host malicious APKs for Hook, Ermac, Brokewell, and SMS spyware.
This leverages GitHub’s legitimacy for large-scale dissemination, with zLabs monitoring multiple repos showcasing both legacy and novel variants.
Technical Insights
From a technical standpoint, Hook persists through broadcast receivers for SMS events (MITRE T1624.001) and escalates privileges via device administrator permissions (T1626.001), enabling factory resets, PIN/password alterations, and lockscreen disabling.
Defense evasion tactics include masquerading as legitimate apps like Google Chrome (T1655.001), self-uninstallation (T1630.001), device lockout via DevicePolicyManager.lockNow() (T1629.002), and input injection for gestures and data entry (T1516).
Credential access is multifaceted, intercepting notifications for OTPs (T1517), keylogging (T1417.001), GUI capture (T1417.002), and clipboard extraction (T1414).
Discovery functions encompass file/directory enumeration (T1420), location tracking (T1430), installed app listing (T1418), network connection discovery (T1421), and system info gathering (T1426).
Collection capabilities extend to screen capture (T1513), local data access (T1533), camera/audio recording (T1512/T1429), call control (T1616), and exfiltration of call logs, contacts, SMS (T1636 subtechniques), and accounts (T1409).
Command and control relies on WebSocket for bidirectional communication (T1481.002) and dynamic resolution (T1637), with hints of future RabbitMQ integration for enhanced C2 resilience, including hardcoded credentials.
According to the report, Telegram traces suggest evolving features for injection data transmission, though incomplete (lacking chat IDs or bot tokens).
Exfiltration occurs over C2 channels (T1646), while impact techniques involve call forwarding/blocking (T1616), SMS manipulation (T1582), and overlay-based credential theft (T1516).
Zimperium’s Mobile Threat Defense (MTD) and zDefend provide on-device dynamic detection against Hook, even for sideloaded variants, through behavioral analysis.
Collaboration with stakeholders led to the takedown of a key GitHub repo, curtailing distribution.
This convergence of banking trojan, spyware, and ransomware tactics underscores escalating risks, blurring threat boundaries and demanding robust endpoint protections for financial and enterprise sectors.
Indicators of Compromise
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | e.g., 123abc… (sample hash) | Malicious APK hash |
| C2 Domain | e.g., maliciousc2[.]com | Command server |
| GitHub Repo | e.g., /actor/malware-repo | Distribution repository |
| Command | ransome | Triggers ransomware overlay |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
