Cybersecurity researchers have identified a new variant of the HOOK Android banking trojan that now incorporates ransomware-style overlay screens to extort payments from victims. This development signifies a significant escalation in the malware’s capabilities, blending traditional banking trojan functions with ransomware tactics.
Vishnu Pratapagiri, a researcher at Zimperium zLabs, highlighted this advancement:
A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment. This overlay presents an alarming ‘WARNING’ message, alongside a wallet address and amount, both of which are dynamically retrieved from the command-and-control server.
The ransomware overlay is activated remotely when the command ransome is issued by the command-and-control (C2) server. Attackers can dismiss the overlay by sending the delete_ransome command.
HOOK is believed to be an offshoot of the ERMAC banking trojan, whose source code was previously leaked online. Like other Android banking malware, HOOK can display fake overlay screens on top of legitimate financial apps to steal user credentials and exploit Android accessibility services to automate fraudulent activities and gain remote control over devices.
Additional features of HOOK include:
– Sending SMS messages to specified phone numbers.
– Streaming the victim’s screen.
– Capturing photos using the front-facing camera.
– Stealing cookies and recovery phrases associated with cryptocurrency wallets.
The latest version of HOOK represents a significant advancement, now supporting 107 remote commands, with 38 newly added ones. These include:
– Serving transparent overlays to capture user gestures.
– Displaying fake NFC overlays to trick victims into sharing sensitive data.
– Presenting deceptive prompts to gather lockscreen PINs or patterns.
The newly added commands are as follows:
– `ransome`: Displays a ransomware overlay on the device.
– `delete_ransome`: Removes the ransomware overlay.
– `takenfc`: Shows a fake NFC scanning screen using a fullscreen WebView overlay to read card data.
– `unlock_pin`: Displays a fake device unlock screen to collect unlock patterns or PIN codes, granting unauthorized access to the device.
– `takencard`: Displays a fake overlay mimicking a Google Pay interface to collect credit card information.
– `start_record_gesture`: Records user gestures by displaying a transparent full-screen overlay.
HOOK is believed to be distributed on a large scale through phishing websites and bogus GitHub repositories hosting malicious APK files. Other Android malware families, such as ERMAC and Brokewell, have also been distributed via GitHub, indicating a broader adoption of this distribution method among threat actors.
Zimperium noted:
The evolution of HOOK illustrates how banking trojans are rapidly converging with spyware and ransomware tactics, blurring threat categories. With continuous feature expansion and broad distribution, these families pose a growing risk to financial institutions, enterprises, and end users alike.
Anatsa Continues to Evolve
In related developments, Zscaler’s ThreatLabs detailed an updated version of the Anatsa banking trojan, which has expanded its focus to target over 831 banking and cryptocurrency services worldwide, including those in Germany and South Korea, up from 650 previously reported.
One of the apps involved mimics a file manager app (package name: com.synexa.fileops.fileedge_organizerviewer), acting as a dropper to deliver Anatsa. The malware has replaced dynamic code loading of remote Dalvik Executable (DEX) payloads with direct installation of the trojan and uses corrupted archives to hide the DEX payload deployed during runtime.
Anatsa also requests permissions for Android’s accessibility services, which it abuses to grant itself additional permissions, allowing it to send and receive SMS messages and draw content on top of other applications to display overlay windows.
Zscaler identified 77 malicious apps from various adware, maskware, and malware families, such as Anatsa, Joker, and Harly, in the Google Play Store, accounting for over 19 million installations. Maskware refers to apps that present themselves as legitimate applications or games but incorporate obfuscation, dynamic code loading, or cloaking techniques to conceal malicious content.
Harly is a variant of Joker first flagged by Kaspersky in 2022. In March, Human Security uncovered 95 malicious applications containing Harly hosted in the Google Play Store.
Security researcher Himanshu Sharma stated:
Anatsa continues to evolve and improve with anti-analysis techniques to better evade detection. The malware has also added support for more than 150 new financial applications to target.
