A new version of the Hook Android banking Trojan has surfaced, showcasing one of the most extensive feature sets ever recorded for mobile malware.
Researchers at Zimperium’s zLabs identified the variant, which now supports 107 remote commands – of which 38 are newly introduced.
The upgraded malware goes beyond financial theft, adopting ransomware-style methods and advanced surveillance tools.
Among its latest functions are:
-
Ransomware overlays that coerce users into making payments
-
Fake NFC scanning prompts designed to steal sensitive data
-
Lock screen bypass using deceptive PIN and pattern screens
-
Transparent overlays for capturing gestures
-
Real-time screen-streaming for full monitoring
“The campaign is operating on a truly global scale,” warned Frankie Sclafani, director of cybersecurity enablement at Deepwatch.
“The detection count has more than doubled in just two weeks, reflecting a rapid and aggressive growth pattern.”
Read more on Android malware threats: Android Malware Targets Banking Users Through Discord Channels
Unlike previous campaigns that relied mainly on phishing sites, Hook’s operators are now spreading malicious APK files through GitHub repositories.
Zimperium reported that other malware families, including Ermac, Brokewell and various SMS spyware strains, are also being distributed this way.
“This phishing campaign is tricky because it personalizes fake websites with the victim’s own email and company logo, making the scam look real,” explained J Stephen Kowski, field CTO at SlashNext.
“The malicious files delivered are not just for stealing passwords but for installing powerful remote access tools that give attackers long-term control.”
Zimperium confirmed Hook also continues to exploit Android Accessibility Services for automated fraud and device control.
As mentioned above, its most alarming new feature is a ransomware overlay that displays a payment demand with a cryptocurrency wallet address controlled by attackers. Fake credit card forms, mimicking services like Google Pay, are also used to harvest payment information.
Code references found in the Trojan suggest its developers may add RabbitMQ for more resilient command-and-control (C2) communications. There are also traces of Telegram-based functionality under development, though these features remain incomplete.
Zimperium stated that it has collaborated with industry partners to remove at least one GitHub repository associated with distribution of the malware.
The rapid evolution of Hook underscores how traditional banking Trojans are adopting spyware and ransomware tactics.
As Sclafani concluded, “this is a complete attack process designed to secretly install a persistent malicious payload inside your network,” making it a growing concern for enterprises and individuals alike.
2 Comments
This is such a valuable article! ???? I really like how you’ve managed to explain the topic in a clear and practical way—it feels authentic and easy to relate to. Reading it gave me some new perspectives that I can actually apply. I’m especially interested in content like this because at meinestadtkleinanzeigen.de we’re running a classifieds and directory platform in Germany that connects people with services, businesses, and opportunities across many categories. Insights like yours remind me how powerful it is when knowledge and connections come together. Thanks for sharing—looking forward to more of your work! ????
Fantastic read! ???? I really appreciate how clearly you explained the topic—your writing not only shows expertise but also makes the subject approachable for a wide audience. It’s rare to come across content that feels both insightful and practical at the same time. At explodingbrands.de we run a growing directory site in Germany that features businesses from many different categories. That’s why I truly value articles like yours, because they highlight how knowledge and visibility can create stronger connections between people, services, and opportunities.Keep up the great work—I’ll definitely be checking back for more of your insights! ????