Hook Version 3: The Banking Trojan with The Most Advanced Capabilities
Summary:
A new variant of the Hook Android banking trojan was uncovered by Zimperium’s zLabs research team, featuring some of the most advanced capabilities seen to date. The trojan now supports a total of 107 remote commands, 38 which were recently added. Similar to previous variants, the latest version (v3) abuses Android Accessibility Services to gain control over the victim’s device, steal data, and conduct fraud. One of the alarming new features incorporated in Hook v3 is a full-screen ransomware overlay, which is deployed to trick users into making a ransom payment.
“This overlay presents an alarming "WARNING" message, alongside a wallet address and amount, both of which are dynamically retrieved from the command-and-control server,” note researchers in their new blog post.
Other prominent features in the new hook variant include:
The extensive list of commands supported by Hook provides operators flexibility in stealing data and extorting funds, while bypassing defenses. Analysis of the latest Hook variant shows that the authors are still making updates to the malware, with code references suggesting the use of RabbitMQ, is a dedicated message broker that manages queues and messages between clients and servers, for more reliable and flexible C2 communications. Research also note the potential use of Telegram for C2 communication which is still under development.
Suggested Corrections:
The banking trojan is being distributed via phishing sites as well GitHub, with actors actively leveraging the platform to host and spread malicious APK files. In general, users should be careful when initiating downloads from sites online. Carefully vetting repositories prior to downloading and executing code, installing antivirus solutions, and disabling Android accessibility services can be effective at preventing potential Hook infections.
Link(s):
https://zimperium.com/blog/Hook-Version-3-The-Banking-Trojan-with-The-Most-Advanced-Capabilities
A new variant of the Hook Android banking trojan was uncovered by Zimperium’s zLabs research team, featuring some of the most advanced capabilities seen to date. The trojan now supports a total of 107 remote commands, 38 which were recently added. Similar to previous variants, the latest version (v3) abuses Android Accessibility Services to gain control over the victim’s device, steal data, and conduct fraud. One of the alarming new features incorporated in Hook v3 is a full-screen ransomware overlay, which is deployed to trick users into making a ransom payment.
“This overlay presents an alarming "WARNING" message, alongside a wallet address and amount, both of which are dynamically retrieved from the command-and-control server,” note researchers in their new blog post.
Other prominent features in the new hook variant include:
- Fake NFC overlays to trick victims into sharing sensitive data
- Lockscreen bypass via deceptive PIN and pattern prompts
- Transparent overlays to silently capture user gestures
- Stealthy screen-streaming sessions for real-time monitoring
The extensive list of commands supported by Hook provides operators flexibility in stealing data and extorting funds, while bypassing defenses. Analysis of the latest Hook variant shows that the authors are still making updates to the malware, with code references suggesting the use of RabbitMQ, is a dedicated message broker that manages queues and messages between clients and servers, for more reliable and flexible C2 communications. Research also note the potential use of Telegram for C2 communication which is still under development.
Suggested Corrections:
The banking trojan is being distributed via phishing sites as well GitHub, with actors actively leveraging the platform to host and spread malicious APK files. In general, users should be careful when initiating downloads from sites online. Carefully vetting repositories prior to downloading and executing code, installing antivirus solutions, and disabling Android accessibility services can be effective at preventing potential Hook infections.
Link(s):
https://zimperium.com/blog/Hook-Version-3-The-Banking-Trojan-with-The-Most-Advanced-Capabilities