A classy new variant of the Hook Android banking trojan has emerged with unprecedented capabilities that place it among the many most superior cellular malware households noticed up to now.
This newest model, designated Hook Model 3, represents a big evolution in Android banking malware sophistication, introducing a complete arsenal of 107 distant instructions with 38 newly added functionalities that blur the normal boundaries between banking trojans, ransomware, and spy ware.
The malware’s distribution technique has expanded past typical phishing web sites to incorporate GitHub repositories, the place risk actors are actively leveraging the platform’s legitimacy to host and disseminate malicious APK information.
This method offers attackers with enhanced credibility and broader attain, as victims usually tend to belief functions hosted on respected platforms.
The GitHub distribution technique has additionally been noticed internet hosting different malware households together with Ermac and Brokewell, indicating a scientific method to malware-as-a-service operations.
Zimperium analysts recognized a number of groundbreaking capabilities that distinguish this variant from its predecessors, together with ransomware-style overlay assaults, fraudulent NFC interfaces, and complicated lock display bypass mechanisms.
Malware requesting accessibility companies to the sufferer (Supply – Zimperium)
The malware maintains its basis on Android Accessibility Companies abuse whereas introducing clear overlays for silent consumer gesture seize and real-time display streaming capabilities that present attackers with unprecedented gadget management.
Superior Overlay Assault Mechanisms
Hook Model 3’s most notable development lies in its subtle overlay assault system, which implements a number of deception layers to seize delicate consumer knowledge.
The ransomware-style overlay performance deploys full-screen warning messages demanding cryptocurrency funds, with pockets addresses and quantities dynamically retrieved from command-and-control servers.
Ransomware fashion overlay (Supply – Zimperium)
The embedded HTML content material throughout the APK allows rapid deployment when the “ransome” command is obtained, whereas the “delete_ransome” command permits distant dismissal.
The faux NFC overlay system demonstrates the malware’s evolving capabilities by way of the “takenfc” command, which creates misleading Close to Subject Communication scanning screens utilizing fullscreen WebView overlays.
Faux NFC overlay (Supply – Zimperium)
Though the present implementation lacks full JavaScript integration for knowledge exfiltration, its presence signifies ongoing growth towards complete NFC-based social engineering assaults.
Maybe most regarding is the lock display bypass mechanism, which mixes overlay methods with programmatic gadget unlocking.
The “unlock_pin” command sequence acquires WakeLock privileges, performs swipe-up gestures to disclose lock screens, and systematically inputs captured PINs by way of simulated button presses, successfully circumventing Android’s major safety barrier and granting attackers full gadget entry for subsequent malicious actions.
Increase your SOC and assist your crew defend your small business with free top-notch risk intelligence: Request TI Lookup Premium Trial.
