Recent developments in the Android mobile ecosystem have brought forth a new wave of threats stemming from the evolution of the HOOK banking Trojan. The latest iteration of this malicious program has expanded its range of functions, transforming into a hybrid that amalgamates spy software, carrier programs, and remote control tools for devices. Originally derived from the Ermac Trojan, which had its source code openly accessible, HOOK was initially designed to pilfer banking application accounts by utilizing fake overlays on interfaces to intercept passwords and card details. However, the latest version has significantly enhanced its capabilities.
The revamped Trojan now supports a whopping 107 remote commands, including 38 brand-new ones, propelling it to a heightened level of danger. Among the newly introduced features is the ability to showcase a full-screen “encrypted” overlay containing a message about a supposedly blocked device and a ransom demand. Details regarding the sum and cryptocurrency are dynamically fetched from the control server, while the overlay manipulation is done remotely.
Additional functionalities include crafting fake screens to capture PIN codes or unlock templates, mimicking the Google Pay interface, transparent overlays for recording gestures, and bogus NFC scan windows for stealing contactless card data. Furthermore, the Trojan can siphon the victim’s screen images, capture front camera snapshots, intercept SMS messages, pilfer cookies, and snag cryptocurrency recovery phrases. Typically, infections occur through phishing sites and counterfeit GitHub repositories where malicious apk files are disguised as legitimate applications.
According to Zimperium, the broad utilization of HOOK underscores a trend where banking Trojans are increasingly amalgamating spy and extortion program features, blurring the lines between threat categories. This strategic shift allows for attacking devices, siphoning money and personal data, and blocking smartphone access, thus compelling owners to pay up. Meanwhile, Zscaler has observed the rapid advancement of the banking Trojan, with the tally escalating to 831 applications, encompassing banks and crypto services. Distribution channels involve fake file managers on Google Play concealing malicious code, with 77 infected programs identified, including Joker and Harly, downloaded over 19 million times.
With the updated versions of HOOK and Anatsa exemplifying an overarching trend, mobile Trojans are evolving into versatile tools that combine financial data theft, covert surveillance, blackmail, and device manipulation from a distance. The magnitude of the threat is swelling, while the dissemination methods are growing more sophisticated, heightening risks for users, financial institutions, and corporate networks.