HOOK Android Trojan Introduces Ransomware Overlays and Expands to 107 Remote Command Capabilities

ByAdmin

Cybersecurity researchers have identified a new variant of an Android banking trojan named HOOK, which incorporates ransomware-style overlay screens to display extortion messages. A key feature of this variant is its ability to deploy a full-screen ransomware overlay designed to pressure victims into making ransom payments. Zimperium zLabs researcher Vishnu Pratapagiri noted that this overlay presents a distressing ‘*WARNING*’ message, along with a wallet address and amount that are dynamically retrieved from the command-and-control server. The overlay is remotely activated when the command “ransome” is issued by the C2 server, and it can be dismissed by the attacker using the “delete_ransome” command. HOOK is considered an offshoot of the ERMAC banking trojan, which had its source code leaked online.

In addition to its extortion capabilities, HOOK can display fake overlay screens on financial applications to steal user credentials and exploit Android accessibility services for fraud automation and remote device control. Other significant features include the ability to send SMS messages to specific numbers, stream the victim’s screen, capture photos via the front-facing camera, and steal cookies and recovery phrases linked to cryptocurrency wallets. The latest version supports 107 remote commands, with 38 newly added, including commands to create transparent overlays for capturing user gestures and fake NFC overlays to deceive victims into sharing sensitive information. HOOK is believed to be widely distributed through phishing websites and fraudulent GitHub repositories, indicating a concerning trend in the convergence of banking trojans with spyware and ransomware tactics, thereby increasing risks for financial institutions, enterprises, and end users alike. 

Categories: Android Banking Trojans, Ransomware Tactics, Malware Evolution 

Tags: Android, Banking, Trojan, Ransomware, Overlay, Extortion, Malware, Phishing, Security, Cryptocurrency 

Leave a Reply

Your email address will not be published. Required fields are marked *