CyberHappenings logo
☰

HOOK Android Trojan Expands Capabilities with Ransomware Overlays and 107 Remote Commands

First reported
Last updated
📰 2 unique sources, 2 articles

Summary

Hide ▲

A new variant of the HOOK Android banking trojan has been discovered, featuring ransomware-style overlay screens to extort victims. This variant supports 107 remote commands, including new capabilities for capturing user gestures, stealing cryptocurrency wallet information, and displaying fake NFC overlays. The trojan is distributed via phishing websites, bogus GitHub repositories, and malicious APK files, posing a significant threat to financial institutions and users. The HOOK trojan is believed to be an offshoot of the ERMAC banking trojan, which had its source code leaked publicly. The trojan can display fake overlays on financial apps to steal credentials and abuse Android accessibility services for fraud and remote control. The latest version of HOOK includes commands for ransomware overlays, capturing user gestures, and stealing sensitive information like credit card details and lockscreen PINs. It also features transparent overlays to capture user gestures and screen-streaming sessions for real-time monitoring.

Timeline

  1. 26.08.2025 12:01 📰 2 articles

    HOOK Android Trojan Adds Ransomware Overlays and 107 Remote Commands

    A new variant of the HOOK Android banking trojan has been discovered, featuring ransomware-style overlay screens and supporting 107 remote commands. This variant includes new capabilities for capturing user gestures, stealing cryptocurrency wallet information, and displaying fake NFC overlays. The trojan is distributed via phishing websites, bogus GitHub repositories, and malicious APK files, posing a significant threat to financial institutions and users. The trojan can bypass lock screens using deceptive PIN and pattern prompts, and includes transparent overlays to capture user gestures and monitor activity in real-time. It can also mimic legitimate unlock patterns or PIN entry screens to steal credentials and steal credit card information using a fake Google Pay interface.

    Show sources

Information Snippets

Similar Happenings

HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344

A new ransomware strain, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware and can bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and installs a malicious EFI application on the EFI System Partition. The ransomware has two main components: a bootkit and an installer. The bootkit handles encryption and decryption processes, displaying fake CHKDSK messages to deceive victims. The ransom note demands $1,000 in Bitcoin, with a wallet receiving $183.32 between February and May 2025. HybridPetya exploits a remote code execution vulnerability in the Howyar Reloader UEFI application, allowing it to bypass Secure Boot. The variant uses a specially crafted file named 'cloak.dat' to load the bootkit binary. Microsoft revoked the vulnerable binary in January 2025. ESET's telemetry data indicates no evidence of HybridPetya being used in the wild, suggesting it may be a proof-of-concept (PoC). The ransomware incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain. It drops several files into the EFI System Partition, including configuration, validation, and encryption progress tracking files. The ransom note provides a 32-character key for decryption and system restoration upon payment. Indicators of compromise for HybridPetya are available on a GitHub repository. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday updates.

AI-Driven Ransomware Strain PromptLock Discovered

A new ransomware strain named PromptLock has been identified by ESET researchers. This strain leverages AI to generate malicious scripts in real-time, making it more difficult to detect and defend against. PromptLock is currently in development and has not been observed in active attacks. It can exfiltrate files, encrypt data, and is being upgraded to destroy files. The ransomware uses the gpt-oss:20b model from OpenAI via the Ollama API and is written in Go, targeting Windows, Linux, and macOS systems. The Bitcoin address associated with PromptLock appears to belong to Satoshi Nakamoto. PromptLock uses Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption. The ransomware can generate custom ransom notes based on the type of infected machine and uses the SPECK 128-bit encryption algorithm to lock files. PromptLock is assessed to be a proof-of-concept (PoC) rather than a fully operational malware deployed in the wild.

MixShell Malware Targets U.S. Supply Chain Manufacturers via Contact Forms

A sophisticated social engineering campaign dubbed ZipLine targets U.S. supply chain manufacturers with MixShell in-memory malware. Attackers initiate contact through companies' public 'Contact Us' forms, building trust over weeks before delivering malicious ZIP files. The campaign spans multiple sectors and countries, including Singapore, Japan, and Switzerland. The malware uses in-memory execution, DNS-based command-and-control (C2), and advanced evasion techniques. It exploits legitimate services like Heroku to blend with normal network activity, posing severe risks including intellectual property theft and supply chain disruptions. The threat actors use abandoned or dormant domains with legitimate business histories to bypass security filters and gain trust. The fake company websites used by attackers are cloned from a single template, featuring stock images of White House butlers as supposed founders. The malicious ZIP file contains real PDF and DOCX files related to the discussion topic, hosted on a Heroku subdomain.

Google to Mandate Developer Verification for Android Apps in Four Countries

Google will require all developers distributing apps on Android in Brazil, Indonesia, Singapore, and Thailand to verify their identity. This measure aims to prevent malicious actors from distributing harmful apps. The verification process will start in October 2025 and become mandatory by September 2026. The initiative targets apps installed on certified Android devices, including those sideloaded from third-party marketplaces. It complements existing security measures to block potentially dangerous apps. Developers already verified through the Google Play Store will not be affected. The move follows Google's previous requirement for organizational developer accounts to provide a valid D-U-N-S number. It aims to enhance user trust and security while preserving user choice.

Data breach at Auchan exposes sensitive information of hundreds of thousands of customers

French retailer Auchan experienced a cyberattack that exposed sensitive personal data of several hundred thousand customers. The compromised data includes full names, titles, postal addresses, email addresses, phone numbers, and loyalty card numbers. The breach did not affect bank data, passwords, or PIN numbers. The company has notified affected customers and the French Data Protection Authority (CNIL). Auchan has advised customers to be vigilant against potential phishing attacks using the stolen information. The incident follows similar breaches at other large French entities, but no evidence links these attacks to a coordinated campaign. This is the second data breach that Auchan has disclosed over the past year. The company sent the same notification to its customers in November 2024.