HOOK Trojan: Phase-by-Phase — from Banking Theft to Ransom Overlays
- Javier Conejo del Cerro
- 26 ago
- 3 Min. de lectura
HOOK, an Android trojan derived from ERMAC, has matured into a hybrid that mixes banking overlays, spyware, and ransomware-style extortion. Distribution relies on phishing sites and bogus GitHub repos that push trojanized APKs. After installation, HOOK abuses Accessibility and draw-over permissions to impersonate payment/unlock screens, harvests card data, wallet seed phrases, gestures, and PINs, and can stream the screen, steal cookies, use the front camera, and send SMS. The kicker: a C2 command (“ransome”) throws a full-screen extortion overlay; “delete_ransome” clears it. The latest build exposes 107 remote commands (dozens newly added), expanding automation and control.
Phase 1: Deception & Delivery
Phishing & fake repos: Victims are funneled to malicious websites and bogus GitHub repositories hosting trojanized APKs that imitate legit apps/updates (e.g., payments, utilities).
Sideloading pressure: Pages nudge users to install outside official stores, lowering defenses and bypassing store vetting.
Initial foothold: Once installed, HOOK lands on the device and primes the permission prompts for the next phase.
Phase 2: Permission Capture & Setup
Accessibility abuse: HOOK seeks Accessibility Services to read on-screen content and automate taps/gestures—a cornerstone for mobile fraud.
Draw over other apps: With overlay capability it can place full-screen UIs atop banking, wallet, and payment apps, invisible to the user.
Comms & reach: Builds the channel to its C2 and (where granted) can send SMS, broadening social-engineering and control options.
Phase 3: UI Impersonation & Credential Theft
HOOK operationalizes theft through purpose-built commands and overlays:
Takencard → fake Google Pay/credit-card forms to capture cardholder data.
Takenfc → fake NFC scan screens to trick users into sharing sensitive payment info.
Unlock_pin → fake unlock prompts to steal PINs/patterns and enable device/account takeover.
Start_record_gesture + transparent overlays → capture gestures and inputs users believe they’re making inside trusted apps. Impact: theft of banking credentials, crypto wallet recovery phrases, PINs/gestures, and other personal data, enabling fraud, account lockout, and identity abuse.
Phase 4: Surveillance & Remote Operations
Beyond overlays, HOOK extends control with a broad command set:
Screen streaming (real-time observation of activity).
Cookie theft (session hijack opportunities).
Front-camera activation (covert capture).
SMS send to specified numbers (lures, MFA interference). With 107 remote commands (including 38 new), operators can task, pivot, and persist at scale.
Phase 5: Ransomware-Style Extortion
Ransome → pushes a full-screen WARNING overlay that locks user interaction and shows a wallet address + amount fetched dynamically from C2.
Delete_ransome → removes the overlay remotely. Effect: overt coercion layered on top of covert theft—fraud + extortion on the same handset.
Phase 6: C2, Ecosystem & Spread
C2-driven overlays & tasks: Operators orchestrate data collection, overlays, and device actions centrally.
Lineage & leakage: HOOK is viewed as an offshoot of ERMAC (whose code leaked publicly), helping explain rapid feature growth.
Distribution at scale: Phishing sites and GitHub have been used not only for HOOK but also for other Android families—a pattern of broad adoption among threat actors.
Measures to fend off
For users & employees
No sideloading: Install only from official stores; disable Install unknown apps where feasible.
Permission hygiene: Be skeptical of Accessibility and Draw over other apps prompts—deny if not essential.
Mobile protection on: Keep Play Protect (or your MTD/AV) enabled and OS fully updated.
Banking OPSEC: If overlays or strange prompts appear in finance apps, kill the app, clear recent apps, and re-open via a fresh launcher tap; monitor accounts and reset credentials if suspicious.
For security teams (BYOD/COPE)
MDM/UE enforce: Block unknown sources, allow-list apps, and restrict Accessibility/overlay to vetted utilities.
Detect overlay abuse: Alert on non-assistive apps requesting Accessibility + SYSTEM_ALERT_WINDOW, and on full-screen views atop finance apps.
Hunt the behaviors: Look for strings/commands indicative of HOOK tasking (ransome, delete_ransome, takencard, takenfc, unlock_pin, start_record_gesture) and screen-streaming patterns.
Network controls: Filter phishing sites/malicious repos; monitor for anomalous C2 from mobile subnets.
IR playbook (mobile): On suspected HOOK—isolate the device, revoke tokens/sessions/cookies, rotate creds (bank + wallet), snapshot forensics if policy permits, and re-provision from a clean image.
User education: Regularly train on APK sideloading risks and overlay red flags in payment flows.