Zimperium’s zLabs research team has uncovered a significant new evolution of the Hook Android banking trojan, demonstrating how rapidly mobile malware is blending banking fraud, spyware, and ransomware tactics.
The latest version, dubbed Hook v3, now supports 107 remote commands — with 38 new additions that significantly elevate its capabilities.
The most alarming enhancement comes in the form of ransomware-style overlays, where Hook can display full-screen extortion messages with dynamic cryptocurrency payment details pulled directly from its C2 (command-and-control) infrastructure.
Attackers can remotely trigger or dismiss these overlays using specific commands such as ransom and delete_ransom.
Another notable feature is the fake NFC overlay (takenfc), where victims see a counterfeit NFC scanning screen that could eventually harvest sensitive payment data.
Hook also introduces an aggressive lockscreen bypass mechanism. By mimicking the PIN or pattern unlock interface, the malware tricks victims into entering their credentials, which it then captures. The unlock_pin command allows Hook to input stolen PINs, bypassing device security protections automatically.
Further, the malware employs transparent overlays to record gestures in real time and phishing overlays that convincingly mimic Google Pay to steal card information (takencard command).
Researchers noted that Hook v3 is being distributed at scale, not only via phishing websites but also through GitHub repositories maintained by threat actors.
Zimperium observed not just Hook, but also related malware families such as Ermac, Brokewell, and SMS spyware trojans hosted on the platform. This marks a growing trend where GitHub is abused as an initial distribution vector, raising challenges for defenders.
Beyond overlays, Hook’s command structure is becoming more complex and resilient. During static analysis, zLabs discovered references to RabbitMQ message brokers, hinting at a future shift toward more scalable and reliable C2 operations.
While not yet active, hardcoded usernames and passwords were found in the APK, suggesting attackers are preparing a move away from simple HTTP or WebSocket channels.
Additionally, researchers detected experimental use of Telegram for command-and-control messaging, though no bot tokens or chat IDs were implemented. This indicates Hook’s operators are actively developing modular C2 options to diversify communication and evade takedowns.
Hook’s rapid transformation from a conventional banking trojan into a hybrid toolkit with spyware, ransomware, and fraud automation features highlights the blurring lines between mobile cybercrime categories.
With its ever-expanding command set, stealthy screen-streaming features, and broad distribution techniques, Hook is becoming a significant risk to financial institutions, enterprises, and end-users.
Zimperium reports its Mobile Threat Defense (MTD) solutions detect Hook v3 on-device, even when sideloaded. Meanwhile, industry collaboration has led to takedowns of several malicious repositories but given the speed of Hook’s evolution, defenders must remain vigilant.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
