From ERMAC to Hook: Investigating the technical differences between two Android malware variants

**Executive summary:** This technical analysis shows that the Hook Android malware is derived from ERMAC and significantly extends its capabilities — adding screen streaming and remote UI control, front-camera photo capture, session cookie theft, expanded crypto seed-stealing support, enhanced Device Admin and accessibility-service abuse, and both WebSocket and HTTP C2 channels — and includes sample SHA-256 hashes, a list of C2 IPs, command enumerations, and detection artifacts.