Hook v3: The Banking Trojan That’s Evolving into a Hybrid Ransomware-Spyware Threat

The zLabs research team at Zimperium has uncovered a dangerous new evolution of the Hook Android banking trojan, now enhanced with some of the most advanced capabilities seen to date. The latest variant, dubbed Hook v3, transforms the malware into a multi-functional threat that goes far beyond banking fraud, converging into spyware and even ransomware-style tactics.

Hook v3 introduces a wide array of malicious features that make it more versatile and dangerous. Among them are:

• Ransomware-style overlays that coerce victims into paying ransoms with alarming full-screen warnings.
• Fake NFC overlays designed to trick users into entering sensitive financial data.
• Lockscreen bypass techniques using deceptive PIN and pattern prompts.
• Transparent overlays to silently capture gestures.
• Stealthy screen-streaming sessions for real-time device monitoring.

Zimperium notes that “in total, the malware now supports 107 remote commands — with 38 newly added in this update.”

One of the most striking findings is the scale and creativity of Hook’s distribution. Threat actors are not only pushing it through phishing campaigns but also using GitHub repositories to host malicious APKs. The report states, “It is evident that this method of distribution is not limited to these families alone, other malware strains like Brokewell and various SMS spyware trojans are also being disseminated through the same channels.”

This approach lowers barriers for threat actors and increases the risk to enterprises and consumers, as GitHub is typically trusted by developers and organizations.

Hook continues to abuse Android Accessibility Services to automate fraud, control devices, and bypass defenses. Its new commands enable advanced overlays:

• A ransomware overlay triggered remotely by the ransom command, which displays a dynamically updated wallet address and payment demand. Attackers can dismiss it remotely with delete_ransome.
• A fake NFC overlay (takenfc) that displays a bogus NFC scanning screen through a fullscreen WebView.
• A deceptive lockscreen overlay that steals the victim’s unlock pattern or PIN. As Zimperium explains, “The unlock_pin command can programmatically unlock the device by simulating user interaction.”
• A Google Pay phishing overlay (takencard) that mimics legitimate payment screens to steal card details.

Analysis of the latest build revealed strings such as RABBITMQ_SERVER, hardcoded usernames, and passwords — suggesting threat actors may be experimenting with RabbitMQ as a resilient and scalable C2 channel. While not yet active, this could provide a stronger backbone for future operations.

The malware also shows indications of Telegram-based C2 features in development. The report highlights that “we did not see any traces of chatid or bot token which strongly suggests that the malware is still developing few more features.”

Related Posts:

• Samsung Halts One UI 7 Rollout Due to Lockscreen Issues
• “Lazarus Stealer”: A New Android Trojan Is Stealing Financial Data from Russian Banks
• Starlink V3 Satellites Promise Blazing Fast Internet Speeds

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy