Cybersecurity researchers have discovered a new variant of an Android banking trojan called HOOK that features ransomware-style overlay screens to display extortion messages.
“A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment,” Zimperium zLabs researcher Vishnu Pratapagiri said. “This overlay presents an alarming ‘*WARNING*’ message, alongside a wallet address and amount, both of which are dynamically retrieved from the command-and-control server.”
The mobile security company said the overlay is remotely initiated when the command “ransome” is issued by the C2 server. The overlay can be dismissed by the attacker by sending the “delete_ransome” command.
HOOK is assessed to be an offshoot of the ERMAC banking trojan, which, coincidentally, had its source code leaked on a publicly accessible directory over the internet.
Like other banking malware targeting Android, it’s capable of displaying a fake overlay screen on top of financial apps to steal users’ credentials and abuse Android accessibility services to automate fraud and commandeer devices remotely.
Other notable features include the ability to send SMS messages to specified phone numbers, stream the victim’s screen, capture photos using the front-facing camera, and steal cookies and recovery phrases associated with cryptocurrency wallets.
The latest version, per Zimperium, signals a major step forward, supporting 107 remote commands, with 38 newly added ones. This includes serving transparent overlays to capture user gestures, fake NFC overlays to trick victims into sharing sensitive data, and deceptive prompts to gather lockscreen PIN or pattern.
The list of newly added commands is as follows –
- takenfc, to display a fake NFC scanning screen using a fullscreen WebView overlay and read card data
- unlock_pin, to display a fake device unlock screen to collect unlock pattern or PIN code and gain unauthorized access to the device
- takencard, to display a fake overlay to collect credit card information by mimicking a Google Pay interface
- start_record_gesture, to record user gestures by displaying a transparent full screen overlay
HOOK is believed to be distributed on a large scale, using phishing websites and bogus GitHub repositories to host and disseminate malicious APK files. Some of the other Android malware families distributed via GitHub include ERMAC and Brokewell, indicating a broader adoption among threat actors.
“The evolution of HOOK illustrates how banking trojans are rapidly converging with spyware and ransomware tactics, blurring threat categories,” Zimperium noted. “With continuous feature expansion and broad distribution, these families pose a growing risk to financial institutions, enterprises, and end users alike.”
Anatsa Continues to Evolve
The disclosure comes as Zscaler’s ThreatLabs detailed an updated version of the Anatsa banking trojan that has now expanded its focus to target over 831 banking and cryptocurrency services worldwide, including those in Germany and South Korea, up from 650 reported previously.
One of the apps in question has been found to mimic a file manager app (package name: “com.synexa.fileops.fileedge_organizerviewer”), which acts as a dropper to deliver Anatsa. Besides replacing dynamic code loading of remote Dalvik Executable (DEX) payloads with direct installation of the trojan, the malware uses corrupted archives to hide the DEX payload that’s deployed during runtime.
Anatsa also requests permissions for Android’s accessibility services, which it subsequently abuses to grant itself additional permissions that allow it to send and receive SMS messages, as well as draw content on top of other applications to display overlay windows.
In all, the company said it identified 77 malicious apps from various adware, maskware, and malware families, such as Anatsa, Joker, and Harly, in the Google Play Store, accounting for over 19 million installations. Maskware refers to a category of apps that present themselves as legitimate applications or games to app stores but incorporate obfuscation, dynamic code loading, or cloaking techniques to conceal malicious content.
Harly is a variant of Joker that was first flagged by Kaspersky in 2022. Earlier this March, Human Security said it uncovered 95 malicious applications containing Harly that were hosted in the Google Play Store.
“Anatsa continues to evolve and improve with anti-analysis techniques to better evade detection,” security researcher Himanshu Sharma said. “The malware has also added support for more than 150 new financial applications to target.”
