Threat Research

Hook Version 3: The Banking Trojan with The Most Advanced Capabilities

Zimperium

Zimperium zLabs uncovered a new Hook Android banking trojan variant that adds ransomware-style and fake NFC overlays, lockscreen bypasses, transparent gesture-capture overlays, and stealthy screen-streaming, expanding to 107 remote commands (38 new). The malware is being widely distributed via phishing sites and GitHub repositories and shows signs of evolving C2 capabilities (RabbitMQ, Telegram) and broad targeting of wallet and banking apps. #Hook #RabbitMQ

Keypoints

  • Hook v3 introduces ransomware-style full-screen overlays and extortion workflows that display dynamic wallet addresses and amounts controlled by the C2.
  • New overlay techniques include fake NFC screens, phishing WebView overlays mimicking Google Pay, lockscreen PIN/pattern capture, and transparent overlays to record gestures.
  • The malware supports 107 remote commands (38 newly added), enabling actions from screen streaming/HVNC to automated PIN entry and clipboard/cookie theft.
  • Distribution has expanded beyond phishing sites to public GitHub repositories where malicious APKs (Hook, Ermac, Brokewell, SMS spyware) are hosted and shared by threat actors.
  • Hook continues to abuse Android Accessibility Services and NotificationListenerService to automate input, intercept OTPs, steal session cookies, and capture keystrokes and GUI content.
  • Artifacts in the code (RABBITMQ_SERVER, hardcoded credentials, hints of Telegram use) suggest future plans to adopt more resilient bidirectional C2 channels like RabbitMQ and Telegram-based messaging.
  • Zimperium’s on-device protections (MTD / zDefend) detect and defend against Hook, and Zimperium collaborated on takedowns of malicious GitHub repositories to reduce the campaign’s reach.

MITRE Techniques

  • [T1660 ] Phishing – Adversaries host phishing websites or host apk’s in github; quote: ‘Adversaries host phishing websites or host apk’s in github’
  • [T1624.001 ] Event Triggered Execution: Broadcast Receivers – It creates a broadcast receiver to receive SMS events; quote: ‘It creates a broadcast receiver to receive SMS events’
  • [T1626.001 ] Abuse Elevation Control Mechanism: Device Administrator Permissions – Malware is capable of factory reset, reset device pin/password, Disable lockscreen, Can watch login attempts from victim; quote: ‘Malware is capable of factory reset, reset device pin/password, Disable lockscreen, Can watch login attempts from victim’
  • [T1655.001 ] Masquerading: Match Legitimate Name or Location – Malware pretending to be google chrome and many other legit applications; quote: ‘Malware pretending to be google chrome and many other legit applications’
  • [T1630.001 ] Indicator Removal on Host: Uninstall Malicious Application – Malware can uninstall itself; quote: ‘Malware can uninstall itself’
  • [T1629.002 ] Device Lockout – Malware can lockout victim through the device by DevicePolicyManager.lockNow(); quote: ‘Malware can lockout victim through the device by DevicePolicyManager.lockNow()’
  • [T1516 ] Input Injection – Malware can mimic user interaction, perform clicks and various gestures, and input data; quote: ‘Malware can mimic user interaction, perform clicks and various gestures, and input data’
  • [T1406.002 ] Obfuscated Files or Information: Software Packing – It is using obfuscation and packers (JSONPacker) to conceal its code; quote: ‘It is using obfuscation and packers (JSONPacker) to conceal its code.’
  • [T1517 ] Access Notifications – The malware leverages Android NotificationListenerService to intercept OTPs and sensitive data from notifications, dismissing or manipulating them to avoid user detection; quote: ‘The malware leverages Android NotificationListenerService to intercept OTPs and sensitive data from notifications, dismissing or manipulating them to avoid user detection.’
  • [T1414 ] Clipboard Data – It extracts data stored on the clipboard; quote: ‘It extracts data stored on the clipboard.’
  • [T1417.001 ] Input Capture: Keylogging – It has a keylogger feature; quote: ‘It has a keylogger feature’
  • [T1417.002 ] Input Capture: GUI Input Capture – It is able to get the shown UI; quote: ‘It is able to get the shown UI.’
  • [T1420 ] File and Directory Discovery – lists the files at a specified path (additional parameter “ls”), or downloads a file from the specified path (additional parameter “dl”); quote: ‘lists the files at a specified path (additional parameter “ls”), or downloads a file from the specified path (additional parameter “dl”)’
  • [T1430 ] Location Tracking – Malware can track victim’s location; quote: ‘Malware can track victim’s location’
  • [T1418 ] Software Discovery – Malware collects installed application package list; quote: ‘Malware collects installed application package list’
  • [T1421 ] System Network Connections Discovery – Adversaries may attempt to get a listing of network connections to or from the compromised device; quote: ‘Adversaries may attempt to get a listing of network connections to or from the compromised device’
  • [T1426 ] System Information Discovery – The malware collects basic device info; quote: ‘The malware collects basic device info.’
  • [T1513 ] Screen Capture – Malware can record screen content; quote: ‘Malware can record screen content.’
  • [T1533 ] Data from Local System – Malware can access photos from the device; quote: ‘Malware can access photos from the device.’
  • [T1512 ] Capture Camera – Malware opens camera and takes pictures; quote: ‘Malware opens camera and takes pictures.’
  • [T1429 ] Audio Capture – Malware captures Audio recordings; quote: ‘Malware captures Audio recordings.’
  • [T1616 ] Call Control – Malware can make calls; quote: ‘Malware can make calls.’
  • [T1636.002 ] Protected User Data: Call Log – Malware steals call logs; quote: ‘Malware steals call logs.’
  • [T1636.003 ] Protected User Data: Contact List – It exports the device’s contacts; quote: ‘It exports the device’s contacts.’
  • [T1636.004 ] Protected User Data: SMS Messages – Steals SMSs from the infected device; quote: ‘Steals SMSs from the infected device.’
  • [T1409 ] Stored Application Data – Hook can request the GET_ACCOUNTS permission to get the list of accounts on the device; quote: ‘Hook can request the GET_ACCOUNTS permission to get the list of accounts on the device,’
  • [T414 ] Clipboard Data – It has the ability to steal data from the clipboard; quote: ‘It has the ability to steal data from the clipboard.’
  • [T1637 ] Dynamic Resolution – It receives the injected HTML payload endpoint dynamically from the server; quote: ‘It receives the injected HTML payload endpoint dynamically from the server.’
  • [T1481.002 ] Web Service: Bidirectional Communication – It uses websocket communication to poll the TA’s server and get the commands to execute; quote: ‘It uses websocket communication to poll the TA’s server and get the commands to execute.’
  • [T1646 ] Exfiltration Over C2 Channel – Sending exfiltrated data over C&C server; quote: ‘Sending exfiltrated data over C&C server.’
  • [T1582 ] SMS Control – It can read and send SMS; quote: ‘It can read and send SMS.’

Indicators of Compromise

  • [File names / APKs ] Malicious installers and hosted repositories – Hook and Ermac APKs observed on GitHub repositories (examples: Hook APK variants hosted in GitHub repos), plus Brokewell and SMS-spy APKs.
  • [Commands / Payloads ] Malicious command set and injected HTML – Ransomware overlay HTML, takencard/takencf/takenfc payloads and dynamic injected HTML endpoints (examples: ‘ransome’ command, ‘takenfc’ command), and references to injected HTML endpoints (and many other injected payload endpoints).
  • [Hardcoded strings / credentials ] Embedded C2 artifacts – RABBITMQ_SERVER and hardcoded usernames/passwords found in the APK (example: RABBITMQ_SERVER string, hardcoded credentials), indicating possible RabbitMQ C2.
  • [App names / Targets ] Targeted wallet and financial apps – Launch commands for wallet apps and banking targets: Metamask, Exodus, Mycelium, Coinbase (Toshi), Trust, Safepal, Samourai, Piuk (examples: ‘metamask’, ‘exodus’, ‘mycelium’, ‘trust’).
  • [Commands list ] Remote commands observed – Examples include ‘start_vnc’ (screen streaming) and ‘unlock_pin’ (automated PIN entry); list contains 107 commands (many additional commands in repository).

Read more: https://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint