New Android Hook Malware Variant Locks Devices With Ransomware

Zimperium’s research reveals the Hook Android malware is now a hybrid threat, using ransomware and spyware to steal data via phishing and GitHub distribution.

Mobile security firm Zimperium has issued a new alert about a sophisticated evolution in mobile threats. Zimperium’s zLabs research team recently discovered a new variant of a harmful Android program known as the Hook banking trojan.

This new research was shared with Hackread.com, highlighting a major escalation in danger for mobile users. As per Zimperium’s findings, once limited to stealing banking information, Hook has evolved into a hybrid tool combining ransomware, spyware, and traditional bank-hacking capabilities.

Dubbed Hook Version 3, this new variant now supports an alarming 107 remote commands, with 38 new additions in this update. This gives attackers an unprecedented level of control over a victim’s mobile device.

The malware is highly effective at tricking its victims. By luring users into enabling Android’s Accessibility Services, a feature designed to help people with disabilities, the malware can automate its malicious actions.

Moreover, it uses fake, transparent screens to capture PINs and other private details. For example, it can display a deceptive interface over the device’s lock screen, tricking the user into entering their security PIN or pattern. It can even mimic legitimate apps, such as a fake Google Pay screen to steal credit card details or a fake NFC prompt to capture sensitive data.

It must be noted that while the malware can display a fake NFC prompt, the source code indicates this is a future capability, showing how the attackers are still actively building and expanding the malware.

Other than stealing information, Hook can also stream a device’s activity in real time, giving the attacker a live view of everything the user is doing. One of the most dangerous new features is a screen-locking ability that displays a full-screen WARNING message demanding a ransom payment. The wallet address and ransom amount for this message are dynamically received from a remote server, making the attack highly adaptable.

It is worth noting that although live streaming device activity is not entirely new, it is still rare compared to more common malware features. Recently, Doctor Web researchers spotted an Android malware called Android.Backdoor.916.origin, which was targeting Russian devices. It is capable of live-streaming audio from the microphone and broadcasting video from the camera.

On the other hand, according to Zimperium’s report, Hook malware is being distributed on a large scale. While it still spreads through fake websites, the research shows that hackers are also using public platforms like GitHub to host and share the malicious files. This makes it easier for criminals to distribute the malware, and researchers have observed other families of malware like Ermac and Brokewell using the same technique.

The malware’s developers have even included hints of future capabilities, such as using platforms like RabbitMQ and Telegram for more strong communication. As threats like this continue to spread, they pose a growing risk to personal privacy, financial systems, and private companies alike.

Zimperium’s findings show that companies and individuals should take mobile security seriously since mobile devices are now being targeted for more than login credentials or banking information.