- Researchers have discovered a new version of the HOOK Android banking trojan with Ransomware-like capabilities.
- HOOK uses full-screen overlays to extort victims and gathers sensitive data using advanced techniques.
- The Malware can now execute 107 remote commands, including 38 newly added features.
- HOOK is distributed via phishing websites and fake GitHub repositories with malicious APK files.
- Other Android threats, such as Anatsa, Joker, and Harly, continue to evolve and target financial applications.
Cybersecurity researchers have identified a new version of the HOOK Android banking trojan, released in August 2025, which now uses ransomware-style screens to demand payments from victims. The trojan displays full-screen warning messages and provides a crypto wallet address and payment amount, both controlled remotely by the attacker.
According to experts from Zimperium, HOOK activates these overlays through commands sent from its command-and-control (C2) server, such as the “ransome” command to show the message and “delete_ransome” to remove it. Researchers reported that HOOK evolved from the ERMAC trojan after its source code became publicly available.
HOOK can show fake screens atop financial apps to steal login credentials. It also exploits Android’s accessibility services to automate device control and commit fraud. “A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment,” said Vishnu Pratapagiri of Zimperium zLabs in a recent analysis.
This new variant has expanded support to 107 remote commands—up from previous versions—including commands to capture screen gestures, show fake NFC overlays to steal card data, and collect lockscreen PINs or patterns by imitating device prompts. HOOK can also send SMS messages, stream the device screen, take photos using the front camera, and steal cookies and recovery phrases tied to cryptocurrency wallets.
HOOK and similar Android threats are distributed on a wide scale, mainly through phishing sites and fake repositories on GitHub, where victims are tricked into downloading harmful APK files. Other malware families, including ERMAC and Brokewell, use similar delivery tactics.
Additionally, Zscaler researchers highlighted ongoing advancements of the Anatsa banking trojan, which now targets over 831 financial and crypto services globally. Malicious apps on the Google Play Store—including document readers and file managers—have been found to drop Anatsa payloads using hidden code in corrupted files. Anatsa, like HOOK, abuses Android’s accessibility services to gain further control over devices.
Researchers also warned that over 77 malicious apps—spanning families like Anatsa, Joker, and Harly—were identified on Google Play, totaling over 19 million installs. Maskware, a term for legitimate-looking apps that hide harmful code, remains a concern, with Harly noted as a major Joker variant.
“Anatsa continues to evolve and improve with anti-analysis techniques to better evade detection,” said Himanshu Sharma of Zscaler in a detailed report. The malware family added over 150 new banking apps to its list of targets.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Chainlink (LINK) Eyes $40 High After SBI Japan Partnership Boost
- Bitcoin Dips Below Key 100-Day SMA as ETH, XRP, SOL Hold Ground
- Monero 0.18.4.2 ‘Fluorine Fermi’ Point Release Tagged, Updates Soon
- Solana Drops 10% Amid Market Dip, Eyes $175 Support Level
- Bitcoin Slides Below $110K After Fed Shakeup, $940M Liquidated
