Android Trojan Mutation Intensifies, Adopting Extortion Methods
The global cybersecurity landscape is once again under threat, as a new variant of the Hook Android banking Trojan has surfaced. This malware, developed and distributed by unnamed threat actors, is linked to the Ermac malware family and includes ransomware capabilities, spyware functions, and remote control features.
The Hook campaign, which previously focused on stealing passwords and sensitive data, has evolved to pose a growing concern for enterprises and individuals alike. Unlike its predecessors, Hook is now spreading malicious APK files through GitHub repositories.
The upgraded Hook malware adopts ransomware-style methods and advanced surveillance tools. It can bypass lock screens using deceptive PIN and pattern screens, enabling real-time screen-streaming for full monitoring. The malware also features fake NFC scanning prompts and transparent overlays for capturing gestures, as well as fake credit card forms mimicking services like Google Pay to harvest payment information.
The most alarming new feature of Hook is a ransomware overlay that displays a payment demand with a cryptocurrency wallet address controlled by attackers. This overlay coerces users into making payments, marking a significant shift in the Hook campaign's tactics.
The malware also includes 107 remote commands, 38 of which are newly introduced. Code references found in the Trojan suggest its developers may add RabbitMQ for more resilient command-and-control (C2) communications.
Zimperium, a mobile security company, confirmed that Hook continues to exploit Android Accessibility Services for automated fraud and device control. The company has collaborated with industry partners to remove at least one GitHub repository associated with the distribution of the malware.
The rapid evolution of Hook underscores how traditional banking Trojans are adopting spyware and ransomware tactics. Other malware families, including Ermac, Brokewell, and various SMS spyware strains, are also being distributed through the same method as Hook.
In just two weeks, the detection count of the Hook malware has more than doubled. The malicious files delivered are not just for stealing passwords but for installing powerful remote access tools that give attackers long-term control.
As the Hook campaign operates on a global scale, it is crucial for individuals and enterprises to stay vigilant and take necessary precautions to protect their digital assets. This includes regularly updating software, using reliable security solutions, and being cautious when downloading apps from untrusted sources.
