The latest version of the Android banking trojan known as Hook v3 has introduced a wide-ranging array of capabilities, significantly evolving from its initial singular banking fraud focus. Researchers have observed that Hook v3 now supports an impressive 107 remote commands, with 38 novel additions in its most recent update. This expansion marks its transition into a multipurpose threat, leveraging Android Accessibility Services in novel ways.
New Threat Landscape
Among the key features of Hook v3 are ransomware-style full-screen overlays that demand payment, and fake unlock screens designed to capture sensitive information, such as PINs or patterns. The trojan also employs counterfeit NFC scanning screens and payment-card overlays to mimic legitimate services like Google Pay, deceiving users into divulging private data.
Of particular note is the use of transparent overlays that can record gestures on a victim's device, offering another method to intercept user interactions. Furthermore, Hook v3 allows for real-time screen streaming whereby attackers can observe the activity on a compromised device live, elevating the risks associated with this cyber threat.
Propagation Techniques
The threat actor behind Hook v3 employs various methods for distribution, notably through phishing websites designed to trick users into downloading malicious applications. Additionally, malicious APKs are hosted on platforms like GitHub, making them accessible to unsuspecting victims.
Unfinished Code and Potential
Interestingly, code fragments within Hook v3 reference tools such as RabbitMQ and Telegram, although these functionalities seem to be incomplete, suggesting that the developers may have further plans for these components.
Nico Chiaraviglio, Chief Scientist at Zimperium, emphasized the blurring lines between different forms of malware presented by Hook v3. As it evolves, the trojan increases the urgency for effective on-device defenses, as it now encompasses characteristics of a banking trojan, spyware, and ransomware.
