Government Abstract
Zimperium’s zLabs analysis workforce has uncovered a brand new variant of the Hook Android banking trojan, now that includes a number of the most superior capabilities we’ve seen to this point. This model introduces:
- Ransomware-style overlays that show extortion messages
- Faux NFC overlays to trick victims into sharing delicate information
- Lockscreen bypass through misleading PIN and sample prompts
- Clear overlays to silently seize consumer gestures
- Stealthy screen-streaming periods for real-time monitoring
In whole, the malware now helps 107 distant instructions — with 38 newly added on this replace.
There’s rising proof that the malware is being distributed on a big scale, not solely by phishing web sites but in addition through GitHub, the place menace actors are actively leveraging the platform to host and unfold malicious APK recordsdata.
Distribution Strategies
We’ve been actively monitoring a number of GitHub repositories and have noticed each previous and new variants of malware comparable to Hook and Ermac being hosted (Determine 1). It is usually evident that this methodology of distribution will not be restricted to those households alone, different malware strains like Brokewell and numerous SMS adware trojans are additionally being disseminated by the identical channels.
Fig.1: Menace actors internet hosting completely different malware on github repository
Technical evaluation
As with prior variations, Hook abuses Android Accessibility Providers to automate fraud and management gadgets remotely. The distinction: its rising command set and overlay strategies give attackers much more flexibility in stealing information, hijacking periods, and bypassing defenses.
Fig.2: Malware requesting accessibility companies to the sufferer
New Capabilities in Hook v3
On this part we analyse a number of the most infamous new instructions Hook implements. Nevertheless, the entire checklist of instructions utilized by Hook v3 is offered within the desk after the conclusion of this doc, owing to its intensive nature.
Ransomware-style overlay
A distinguished attribute of the most recent variant is its capability to deploy a full-screen ransomware overlay, which goals to coerce the sufferer into remitting a ransom fee. This overlay presents an alarming “*WARNING*” message (Determine 3), alongside a pockets handle and quantity, each of that are dynamically retrieved from the command-and-control server. The requisite HTML content material for displaying this on the sufferer’s display is embedded throughout the APK itself. This habits is remotely initiated when the malware receives the ransome command from the C2. Moreover, the attacker possesses the potential to remotely dismiss the overlay from the sufferer’s display by issuing a “delete_ransome” command.
Fig.3: Ransomware model overlay
Faux NFC Overlay
The takenfc command is utilized by Android malware to show a pretend NFC (Determine 4) scanning display utilizing a fullscreen WebView overlay. Whereas the code units up a JavaScript interface to seize consumer enter, the present HTML doesn’t embody the injected JavaScript wanted to gather and ship delicate information to the attacker. This reveals how attackers are planning to maintain including capabilities to the malware.
Fig.4: Faux NFC overlay
Stealing Machine Lock Display screen and Automating Pin Unlocking
The malware leverages an overlay approach that locations a misleading interface over the machine’s lock display. This overlay mimics the respectable unlock sample or PIN (Determine 5) entry display, tricking customers into getting into their credentials. By capturing the unlock sample or PIN, the attackers acquire unauthorized entry to the machine, successfully bypassing the lock display safety and taking full management.
Fig.5: Overlays for stealing machine lock display
The unlock_pin command can programmatically unlock the machine by simulating consumer interplay. It first acquires a WakeLock to wake the machine, performs a swipe-up gesture to disclose the lock display, after which inputs a PIN obtained from the payload. Every digit is clicked individually, adopted by simulated faucets on numerous affirmation buttons (e.g., “OK”, “Enter”, “Submit”, together with variants in several languages and symbols)
Fraudulent Phishing Overlay Used to Steal Card Data
The malware shows an overlay to steal bank card info every time a takencard command is obtained from the server. It creates a full-screen WebView overlay (Determine 6) that mimics a respectable interface and masses a pretend HTML kind.This HTML file mimics Google Pay to seize delicate consumer enter like card particulars or PIN entered within the kind, then sends that information again to the server.
Fig.6: Phishing overlay web page mimicking Google Pay
Nonetheless Cooking: Hints of Wider Plans?
The primary model of Hook was revealed by ThreatFabric (Determine 7), with the malware’s title explicitly current within the code. Later, NCC Group launched a comparability between Hook and Ermac and shared particulars on a more moderen variant. On this up to date model, the menace actors had modified the logging strings (Determine 8).
Throughout our evaluation of the most recent banker variant, we recognized a number of noteworthy strings being initialized, together with RABBITMQ_SERVER (Determine 9) together with hardcoded usernames and passwords. RabbitMQ is a devoted message dealer that manages queues and messages between purchasers and servers, providing a extra dependable and versatile C2 channel in comparison with fundamental HTTP or WebSocket communication.
Though the present construct doesn’t actively leverage RabbitMQ, its presence means that future variations of the malware may very well be configured to make the most of this infrastructure, doubtlessly enhancing resilience and scalability in C2 operations.
Fig.7: Hook1
Fig8: Hook2
Fig.9: Hook3
Use of Telegram?
The malware appears to be nonetheless creating just a few extra options which incorporates using telegram for C2 communication (Determine 9), though we now have seen using telegram in an occasion to ship injection (Determine 10) kind and injection information however we didn’t see any traces of chatid or bot token which strongly means that the malware remains to be creating few extra options.
|
New inject+++++ | 🆔 UID: # |
Fig.10: Fields which are used to ship to telegram
Zimperium vs. Hook
Zimperium’s Cellular Menace Protection (MTD) and Cellular Runtime Safety (zDefend) protects in opposition to Hook and different superior banking trojans by on-device dynamic detection engine, even when malware is sideloaded from phishing websites or GitHub.
Along with offering safety for our clients, Zimperium collaborated with trade stakeholders to assist take away the malicious repository from which Hook was being distributed. This takedown considerably decreased the menace actor’s operational capabilities.
Why This Issues
The evolution of Hook illustrates how banking trojans are quickly converging with adware and ransomware techniques, blurring menace classes. With steady function enlargement and broad distribution, these households pose a rising threat to monetary establishments, enterprises, and finish customers alike.
Zimperium clients are protected in opposition to Hook and its variants by on-device detection and behavioral evaluation.
MITRE ATT&CK Methods
|
Tactic |
ID |
Identify |
Description |
|
Preliminary Entry |
Phishing |
Adversaries host phishing web sites or host apk’s in github |
|
|
Persistance |
Occasion Triggered Execution: Broadcast Receivers |
It creates a broadcast receiver to obtain SMS occasions |
|
|
Privilege Escalation |
Abuse Elevation Management Mechanism: Machine Administrator Permissions |
Malware is able to manufacturing facility reset, reset machine pin/password, Disable lockscreen, Can watch login makes an attempt from sufferer |
|
|
Protection Evasion |
Masquerading: Match Authentic Identify or Location |
Malware pretending to be google chrome and lots of different legit purposes |
|
|
Indicator Elimination on Host: Uninstall Malicious Software |
Malware can uninstall itself |
||
|
Machine Lockout |
Malware can lockout sufferer by the machine by DevicePolicyManager.lockNow() |
||
|
Enter Injection |
Malware can mimic consumer interplay, carry out clicks and numerous gestures, and enter information |
||
|
Obfuscated Recordsdata or Data: Software program Packing |
It’s utilizing obfuscation and packers (JSONPacker) to hide its code. |
||
|
Credential Entry |
Entry Notifications |
The malware leverages Android NotificationListenerService to intercept OTPs and delicate information from notifications, dismissing or manipulating them to keep away from consumer detection. |
|
|
Clipboard Knowledge |
It extracts information saved on the clipboard. |
||
|
Enter Seize: Keylogging |
It has a keylogger function |
||
|
Enter Seize: GUI Enter Seize |
It is ready to get the proven UI. |
||
|
Discovery |
File and Listing Discovery |
lists the recordsdata at a specified path (extra parameter “ls”), or downloads a file from the desired path (extra parameter “dl”) |
|
|
Location Monitoring |
Malware can observe sufferer’s location |
||
|
Software program Discovery |
Malware collects put in software package deal checklist |
||
|
System Community Connections Discovery |
Adversaries could try and get an inventory of community connections to or from the compromised machine |
||
|
System Data Discovery |
The malware collects fundamental machine data. |
||
|
Assortment |
Entry Notifications |
It registers a receiver to watch incoming SMS messages |
|
|
Display screen Seize |
Malware can document display content material |
||
|
Knowledge from Native System |
Malware can entry photographs from the machine |
||
|
Seize Digicam |
Malware opens digital camera and takes photos |
||
|
Audio Seize |
Malware captures Audio recordings |
||
|
Name Management |
Malware could make calls |
||
|
Protected Consumer Knowledge: Name Log |
Malware steals name logs |
||
|
Protected Consumer Knowledge: Contact Listing |
It exports the machine’s contacts. |
||
|
Protected Consumer Knowledge: SMS Messages |
Steals SMSs from the contaminated machine |
||
|
Saved Software Knowledge |
Hook can request the GET_ACCOUNTS permission to get the checklist of accounts on the machine, |
||
|
Enter Seize: Keylogging |
Malware can seize keystrokes |
||
|
Enter Seize: GUI Enter Seize |
It is ready to get the proven UI. |
||
|
Clipboard Knowledge |
It has the power to steal information from the clipboard. |
||
|
Name Management |
TA can ahead name from the machine |
||
|
Command and Management |
Name Management |
TA can ahead name from the machine |
|
|
Dynamic Decision |
It receives the injected HTML payload endpoint dynamically from the server. |
||
|
Internet Service: Bidirectional Communication |
It makes use of websocket communication to ballot the TA’s server and get the instructions to execute. |
||
|
Exfiltration |
Exfiltration Over C2 Channel |
Sending exfiltrated information over C&C server |
|
|
Affect |
Name Management |
TA could make and block name within the machine |
|
|
Enter Injection |
It shows inject payloads like sample lock and mimics banking apps login display by overlay and steal credentials. |
||
|
SMS Management |
It will probably learn and ship SMS. |
Indicators of Compromise
The total checklist of IOCs will be present in this repository.
Hook Command Listing
|
Command |
Description |
|---|---|
|
action_recorded_gesture |
Executes distant gesture instructions through AccessibilityService to simulate consumer actions on the machine. |
|
start_vnc |
Begins capturing the sufferer’s display continuously (streaming) |
|
startussd |
Executes a given USSD code on the sufferer’s machine |
|
get_unlockpass |
resets the unlock password standing to false. |
|
send_sms_many |
Sends an SMS message to a number of telephone numbers |
|
swipeup |
Carry out a swipe up gesture |
|
takescreenshot |
Takes a screenshot of the sufferer’s machine |
|
bitcoincom |
Launches the Bitcoin Pockets app |
|
clickatcontaintext |
Clicks on the UI factor that incorporates the payload textual content |
|
start_hvnc |
begins an HVNC session by simulating a swipe gesture and sends machine/app data to the attacker’s server. |
|
start_perm |
Requests mandatory permissions and logs of all, some, or none are granted |
|
startadmin |
Units the “start_admin” shared desire key to worth 1, which might be used as a verify earlier than making an attempt to achieve Machine Admin privileges |
|
delete_pincodep |
Removes PIN enter overlay from prime of the display |
|
takenfc |
Locations NFC overlay on prime of the display |
|
start_record_gesture |
Begins recording consumer gesture by displaying a clear full display overlay |
|
removewaitview |
Removes the “wait / loading” view that’s displayed on the sufferer’s machine due to the “addwaitview” command |
|
cookie |
Steals session cookies (targets sufferer’s Google account) |
|
exodus |
Begins the Exodus Pockets software (and steals seed phrases because of beginning this software, as noticed throughout evaluation of the accessibility service) |
|
clearcash |
Units the “autoClickCache” shared desire key to worth 1, and launches the “Software Particulars” setting for the desired app (in all probability to clear the cache) |
|
stop_textview |
Triggers motion to cease textual content view |
|
updateinjectandlistapps |
Will get an inventory of the presently put in apps on the sufferer’s machine, and downloads the injection goal lists |
|
logaccounts |
Will get an inventory of the accounts on the sufferer’s machine by their title and account kind |
|
metamask |
Launches the Metamask Pockets app |
|
pincodep |
Locations an excessively for Pincode |
|
scrollup |
Performs a scroll up gesture |
|
getlocation |
Will get the geographic coordinates (latitude and longitude) of the sufferer |
|
stop_record_gesture |
Stops the gesture recording and removes the overlay, packages recorded information into json and resets it once more |
|
mycelium |
Launches the Mycelium Pockets app |
|
swipePattern |
Parses an inventory of factors from json that are obtained from the server and converts them into integer coordinate pairs representing a swipe sample |
|
restart3 |
Restarts the accessibility companies |
|
restart4 |
Similar as restart3 |
|
getinstallapps |
Will get an inventory of the put in apps on the sufferer’s machine |
|
getaccounts |
Will get an inventory of the accounts on the sufferer’s machine by their title and account kind |
|
onpointerevent |
Units X and Y coordinates and performs an motion based mostly on the payload textual content supplied. Three choices: “down”, “proceed”, and “up”. It appears like these payload texts work collectively, as in: it first units the beginning coordinates the place it ought to press down, then it units the coordinates the place it ought to draw a line to from the earlier beginning coordinates, then it performs a stroke gesture utilizing this info |
|
deleteapplication |
Uninstalls a specified software obtained from the server |
|
faucet |
Dispatches a faucet gesture on the specified coordinates |
|
kill |
kills the present working strategy of the app |
|
piuk |
Launches the Blockchain Pockets app |
|
push |
Shows a push notification with app title,title,textual content from the server |
|
downloadimage |
Downloads a picture from the sufferer’s machine |
|
makecall |
Calls the quantity specified from the payload obtained from the server |
|
openwhatsapp |
Sends a message by Whatsapp to the desired quantity |
|
scrolldown |
Performs a scroll down gesture |
|
swipe |
Performs a swipe gesture with the desired 4 coordinates |
|
toshi |
Launches the Coinbase Pockets app |
|
belief |
Launches the Belief Pockets app |
|
width |
Extracts “width” worth from the payload then converts it to integer and saves it to “image_width” within the sharedprefs |
|
delete_patternp |
Removes overlay of sample |
|
longpress |
Dispatches an extended press gesture on the specified coordinates |
|
addviewhvnc |
Shows a clear overlay on display with a message “please wait” |
|
swiperight |
Performs a swipe proper gesture |
|
calling |
Calls the quantity specified within the “quantity” payload, tries to lock the machine and makes an attempt to cover and mute the appliance |
|
forwardsms |
Units up an SMS forwarder to ahead the obtained and despatched SMS messages from the sufferer machine to the desired quantity within the payload |
|
high quality |
Units and saves the picture high quality settings for the VNC |
|
getcallhistory |
Will get a log of the calls that the sufferer made |
|
clickat |
Clicks at a selected UI factor |
|
clicker |
Simulates a gesture(faucet or sequence of faucets) on the display with specified factors and length |
|
ransome |
Exhibits Ransomware overlay on prime of the machine |
|
settransperet |
requests wanted permissions on startup and closes itself instantly after, logging the permission outcomes. |
|
getgmailmessage |
Units the “gm_mes_command” shared desire key to the worth “begin” and begins the Gmail app |
|
restart |
Restarts accessibility identical to restart3 and restart 4 |
|
removeview |
Removes the view with the black background that was added by the “addview” command |
|
getvktitles |
Launches the VKontakte app |
|
cuttext |
Replaces the clipboard on the sufferer’s machine with the payload textual content |
|
addcontact |
Provides a brand new contact to the sufferer’s machine |
|
delete_ransome |
Removes the ransomware overlay |
|
startauthenticator2 |
Begins the Google Authenticator app |
|
patternp |
Locations overlay for sample |
|
startapp |
Begins the app specified within the payload |
|
fpslimit |
Updates the saved picture high quality setting |
|
sendsmsall |
Sends a specified SMS message to all contacts on the sufferer’s machine. If the SMS message is simply too massive, it should ship the message in a number of components |
|
getimages |
Will get checklist of all photographs on the sufferer’s machine |
|
getcontacts |
Will get checklist of all contacts on the sufferer’s machine |
|
takencard |
Locations card overlay on prime of the display |
|
takephoto |
Takes a photograph of the sufferer utilizing the entrance going through digital camera |
|
swipedown |
Performs a swipe down gesture |
|
swipeleft |
Performs a swipe left gesture |
|
stop_hvnc |
Units the working standing of hvnc to false |
|
forwardcall |
Units up a name forwarder to ahead all calls to the desired quantity within the payload |
|
stop_vnc |
Stops capturing the victims display |
|
clickattext |
Clicks on the UI factor with a selected textual content worth |
|
delete_nfc |
Removes the pretend nfc overlay |
|
safepal |
Begins the Safepal Pockets software |
|
samourai |
Launches the Samourai Pockets app |
|
sendsms |
Ship a specified SMS message to a specified quantity. If the SMS message is simply too massive, it should ship the message in a number of components |
|
settext |
Units a specified UI factor to the desired textual content |
|
getphone |
Sends the machine producer and mannequin to the server |
|
start_vnc_socket |
instantly begins the display streaming exercise with minimal setup, skipping overlays and wake locks. It’s designed for a fast, direct launch of the VNC session. |
|
fmmanager |
Both lists the recordsdata at a specified path (extra parameter “ls”), or downloads a file from the desired path (extra parameter “dl”) |
|
openapp |
Opens a specified app |
|
openurl |
Opens the desired URL |
|
getsim |
Will get a sim operator and sends to server |
|
getsms |
Steals all SMS messages |
|
startinject |
Performs a phishing overlay assault in opposition to the given software |
|
peak |
Units the picture peak for the VNC stream based mostly on the worth obtained within the payload. |
|
addview |
Provides a brand new view with a black background that covers your complete display |
|
flash_set |
Adjusts display brightness to most if system write permission is granted; in any other case logs and flags permission denial. |
|
killme |
Shops the package deal title of the malicious app within the “killApplication” shared desire key, with the intention to uninstall it. |
|
delete_card |
Eliminated the cardboard overlay |
|
onkeyevent |
Performs a sure motion relying on the desired key payload (POWER DIALOG, BACK, HOME, LOCK SCREEN, or RECENTS |
|
imagesize |
Units the picture measurement obtained from the server |
|
unlock_pin |
Remotely unlocks the machine by simulating swipe, PIN entry, and affirmation faucets utilizing AccessibilityService and wake lock management |
|
unlock |
Unlocks machine |
|
addwaitview |
Shows a “wait / loading” view with a progress bar, customized background color, textual content color, and textual content to be displayed |
|
gmailtitle |
Units the “gm_list” shared desire key to the worth “begin” and begins the Gmail app |
|
clearcache |
Units the “autoClickCache” shared desire key to worth 1, and launches the “Software Particulars” setting for the desired app |