Hook

Hook is the most feature-complete family in the Cerberus lineage, combining the banking trojan foundations of Ermac with VNC-like screen streaming, a full RAT, file system access, and ATS (Automated Transfer System) capabilities. Announced in January 2023 by the same "DukeEugene" threat actor behind Ermac, Hook represents the current state of the art for Cerberus-derived Android malware. After DukeEugene's departure and the source code sale in mid-2023, Hook proliferated rapidly, with over 200 new C2 servers detected in the final months of 2023 alone.

Overview

Attribute	Details
First Seen	January 2023
Status	Active, widely deployed post-leak
Type	Banking trojan + RAT (MaaS)
Attribution	"DukeEugene" (original), multiple operators post-leak
Aliases	HookBot
Source	Built on Ermac codebase; source code sold May 2023 for $70,000, fully leaked October 2023
Rental Price	$7,000/month (pre-leak)

Origin and Lineage

DukeEugene advertised Hook on January 12, 2023, claiming it was written from scratch. ThreatFabric's analysis immediately disputed this, identifying Hook as an Ermac fork with added functionality. NCC Group later confirmed this definitively: all 30 commands available in Ermac exist in Hook with near-identical code implementation. Hook adds 38 new commands on top of the Ermac base.

The lineage is direct and well-documented:

Cerberus (2019-2020)
  └── Source leaked September 2020
        └── Ermac (2021-2022), DukeEugene
              └── Hook (2023-present), DukeEugene

DukeEugene offered Hook at $7,000/month, positioning it as the premium successor to Ermac's $5,000/month rental. On April 19, 2023, DukeEugene announced he was leaving for military service and closing the project. Two days prior, the coder posted the source code for sale at $70,000. By May 11, 2023, the source was reportedly sold. The full source code leaked publicly by October 2023, triggering an explosion in HookBot deployments across the threat landscape.

Distribution

Hook reaches devices through the same channels established by its predecessors, with expanded use of Google Play droppers.

Vector	Details
Google Play droppers	Benign-looking apps that pass Play Protect screening, then download the Hook payload after a delay period
Phishing sites	Fake app download pages mimicking banking, delivery, and browser update sites
Smishing	SMS campaigns directing victims to phishing domains
Telegram channels	Distribution through Telegram groups and channels
Third-party stores	APKs hosted on unofficial Android app markets

Post-leak distribution expanded significantly. With the builder panel and C2 code freely available, setting up a Hook operation became trivial: Silent Push documented that the leaked source allows operators to deploy a fully functional C2 server and generate disguised Hook APKs within minutes.

Capabilities

Hook's capability set is a superset of Ermac's, with the additions focused on device takeover and on-device fraud.

Inherited from Ermac (All 30 Commands)

Capability	Implementation
Overlay attacks	WebView-based injects for 468+ banking and crypto apps
SMS interception	Read, send, redirect SMS for OTP theft
Contact harvesting	Exfiltrate device contacts
Keylogging	Accessibility-based keystroke capture
App listing	Enumerate installed packages
Account theft	Steal accounts via AccountManager
Push notifications	Lure users into opening target apps
App cache clearing	Force re-authentication to capture fresh credentials
Open URL	Launch arbitrary URLs

New in Hook (38 Additional Commands)

Capability	Implementation
VNC/screen streaming	Real-time screen content streamed to operator via WebSocket
UI interaction	Operator can tap, swipe, type, and navigate the device remotely
Full Device Take Over (DTO)	Complete fraud chain from PII exfiltration through transaction execution without additional channels
File manager	Browse, download, and upload files on the device file system
WhatsApp extraction	Exfiltrate all WhatsApp messages from the victim device
Front camera capture	Silently take a photo using the front-facing camera
Google cookie theft	Steal cookies from Google login sessions
Crypto seed phrase theft	Expanded support for extracting recovery seeds from cryptocurrency wallets
ATS framework	Automated Transfer System for executing fraudulent transactions without operator intervention
Phone location tracking	Real-time GPS tracking of the infected device
Gesture simulation	Perform swipe gestures (swipe up, scroll to specific element) for navigating banking apps programmatically

The VNC-like capability is Hook's defining feature. By streaming the screen and allowing real-time interaction, operators can perform full Device Take Over: logging into banking apps, initiating transfers, handling 2FA challenges, and completing transactions, all from the C2 panel. This places Hook alongside Octo and Hydra as families capable of complete on-device fraud.

Technical Details

Communication Protocol

The most significant architectural change from Ermac is Hook's communication layer. NCC Group's analysis documents the shift:

Aspect	Ermac	Hook
Protocol	HTTP	WebSocket (Socket.IO) + HTTP
Encryption	AES-256-CBC + Base64	AES-256-CBC + Base64 (same scheme)
C2 URL pattern	Random URLs ending in .php/	WebSocket connection for real-time commands; HTTP for data exfiltration
Real-time capability	Polling-based	Persistent bidirectional channel

Hook uses Socket.IO for WebSocket communication, enabling the persistent bidirectional connection required for VNC streaming and real-time UI interaction. The encryption mechanism remains the same as Ermac: data is encrypted with AES-256-CBC and then Base64 encoded. HTTP is still used alongside WebSocket for bulk data exfiltration (contacts, SMS, files).

VNC Implementation

Hook's VNC-like feature works through the Android Accessibility Service:

1. The accessibility service captures screen content and transmits it to the C2 over WebSocket
2. The operator views the live screen in the C2 admin panel
3. Operator commands (taps, swipes, text input) are sent back over WebSocket
4. The accessibility service translates these into AccessibilityNodeInfo actions and dispatchGesture calls on the device
5. The loop continues at sufficient frame rate for interactive operation

This approach does not require screen recording permissions or MediaProjection: the accessibility service has inherent access to the UI tree and can both read content and perform actions.

ATS (Automated Transfer System)

Hook's ATS capability automates the fraud chain that would otherwise require manual operator intervention via VNC:

1. Extract credentials from overlay capture
2. Open the real banking app via accessibility
3. Navigate to the transfer screen using programmatic gestures
4. Fill in transfer details (recipient, amount) from C2 configuration
5. Handle 2FA challenges by intercepting SMS or reading authenticator codes
6. Confirm the transaction

ATS reduces operator workload and increases fraud throughput by executing transfers without human involvement during the transaction itself.

Bot Commands (Selected New Commands)

Command	Action
screenStream	Begin VNC screen streaming over WebSocket
screenClick	Perform tap at specified coordinates
screenSwipe	Perform swipe gesture
screenType	Input text at focused field
fileManager	List directory contents on device
fileDownload	Download file from device to C2
fileUpload	Upload file from C2 to device
getWhatsApp	Extract WhatsApp message database
takePhoto	Capture photo via front camera
getCookies	Steal browser/Google session cookies
getSeedPhrase	Extract cryptocurrency wallet recovery seeds
getLocation	Return device GPS coordinates

Obfuscation and Anti-Analysis

Hook inherits Ermac's obfuscation baseline and adds:

Technique	Details
Blowfish string encryption	Inherited from Ermac
AES-256-CBC C2 encryption	Inherited from Ermac
Class/method renaming	Standard obfuscation
Dynamic C2 resolution	Encrypted C2 addresses resolved at runtime
Multi-stage dropper	Play Store apps delay payload delivery to pass scanning

Permissions

Permission	Purpose
BIND_ACCESSIBILITY_SERVICE	Core dependency for overlay triggering, VNC screen streaming, keylogging, ATS, and remote device control
SYSTEM_ALERT_WINDOW	Display overlay injections over banking and crypto apps
READ_SMS	Read SMS for OTP interception
RECEIVE_SMS	Intercept incoming SMS in real-time
SEND_SMS	Send SMS from victim device
READ_CONTACTS	Exfiltrate contact list
READ_PHONE_STATE	Device fingerprinting
CAMERA	Front camera photo capture
ACCESS_FINE_LOCATION	GPS tracking of infected device
INTERNET	C2 communication via WebSocket and HTTP
RECEIVE_BOOT_COMPLETED	Persistence across reboots
REQUEST_INSTALL_PACKAGES	Dropper installs main payload

Target Regions and Financial Institutions

Hook targets the broadest set of financial applications in the Cerberus lineage. ThreatFabric reported 468 banking app targets across multiple continents:

Region	Countries
North America	United States, Canada
Western Europe	Spain, UK, France, Italy, Portugal
Eastern Europe	Poland, Turkey
Asia-Pacific	Australia
Cryptocurrency (global)	MetaMask, Trust Wallet, Coinbase, Binance, Crypto.com, Blockchain.com

The US, Spain, and Australia have the highest concentration of targeted financial apps. Post-leak, individual operators have expanded the target list with custom injects for regional institutions.

Notable Campaigns

January 12, 2023: DukeEugene announced Hook on underground forums, advertising it at $7,000/month. ThreatFabric published their analysis identifying Hook as an Ermac fork with RAT capabilities, disputing the developer's claim of a from-scratch build. The Hacker News covered the discovery.

April 19, 2023: DukeEugene announced project closure, citing military service. The source code was posted for sale at $70,000.

May 11, 2023: Source code reportedly sold. The coder requested the sale thread be closed.

September 2023: NCC Group published a detailed technical comparison of Ermac and Hook, confirming shared codebase and documenting all 38 new commands. The Hacker News reported on the expanded analysis.

October 2023: The full Hook source code, including the builder panel, leaked publicly. This triggered a proliferation of HookBot C2 infrastructure.

Late 2023: Silent Push identified over 200 new HookBot C2 servers deployed in the months following the leak. Their investigation uncovered 24 active DukeEugene-linked control panels administering Ermac, Hook, and related variants. Hook was the most prolific Android banking malware family of 2023, targeting 468 banking applications.

2024-present: Hook derivatives continue to emerge. With both the Ermac and Hook source codes publicly available, new operators build on either codebase, blurring the boundary between the two families. The combination of VNC, RAT, ATS, and traditional overlay attacks in a single freely available package makes Hook the most accessible full-featured Android banking trojan ever leaked.

August 2025, Hook v3: Zimperium zLabs identified Hook v3 with 107 remote commands (38 new beyond Hook v1/v2). New capabilities include ransomware-style lockscreen overlays, fake NFC/payment card overlays for card data collection, lockscreen bypass via deceptive PIN prompts, transparent overlays for silent gesture capture, and real-time device streaming. The v3 variant was distributed via GitHub-hosted malicious APKs. Unused RabbitMQ infrastructure in the code suggests a future C2 channel evolution. Hook v3 represents a convergence of banking trojan and ransomware capabilities in a single package.

References

• ThreatFabric - Hook: a new Ermac fork with RAT capabilities (January 2023)
• NCC Group - From Ermac to Hook: Investigating the technical differences (September 2023)
• Silent Push - DukeEugene investigation (Late 2023)
• ThreatFabric - Android droppers: the silent gatekeepers of malware (2023)
• The Hacker News - New Hook malware (January 2023)
• The Hacker News - Hook banking trojan expanded analysis (September 2023)
• Zimperium - Hook Version 3 (August 2025)