A new version of the Hook Android banking Trojan has surfaced, showcasing one of the most extensive feature sets ever recorded for mobile malware.
Researchers at Zimperium’s zLabs identified the variant, which now supports 107 remote commands – of which 38 are newly introduced.
The upgraded malware goes beyond financial theft, adopting ransomware-style methods and advanced surveillance tools.
Among its latest functions are:
-
Ransomware overlays that coerce users into making payments
-
Fake NFC scanning prompts designed to steal sensitive data
-
Lock screen bypass using deceptive PIN and pattern screens
-
Transparent overlays for capturing gestures
-
Real-time screen-streaming for full monitoring
“The campaign is operating on a truly global scale,” warned Frankie Sclafani, director of cybersecurity enablement at Deepwatch.
“The detection count has more than doubled in just two weeks, reflecting a rapid and aggressive growth pattern.”
Read more on Android malware threats: Android Malware Targets Banking Users Through Discord Channels
Unlike previous campaigns that relied mainly on phishing sites, Hook’s operators are now spreading malicious APK files through GitHub repositories.
Zimperium reported that other malware families, including Ermac, Brokewell and various SMS spyware strains, are also being distributed this way.
“This phishing campaign is tricky because it personalizes fake websites with the victim’s own email and company logo, making the scam look real,” explained J Stephen Kowski, field CTO at SlashNext.
“The malicious files delivered are not just for stealing passwords but for installing powerful remote access tools that give attackers long-term control.”
Zimperium confirmed Hook also continues to exploit Android Accessibility Services for automated fraud and device control.
As mentioned above, its most alarming new feature is a ransomware overlay that displays a payment demand with a cryptocurrency wallet address controlled by attackers. Fake credit card forms, mimicking services like Google Pay, are also used to harvest payment information.
Code references found in the Trojan suggest its developers may add RabbitMQ for more resilient command-and-control (C2) communications. There are also traces of Telegram-based functionality under development, though these features remain incomplete.
Zimperium stated that it has collaborated with industry partners to remove at least one GitHub repository associated with distribution of the malware.
The rapid evolution of Hook underscores how traditional banking Trojans are adopting spyware and ransomware tactics.
As Sclafani concluded, “this is a complete attack process designed to secretly install a persistent malicious payload inside your network,” making it a growing concern for enterprises and individuals alike.