Introducing New Hook: Advanced Android Banking Malware with Enhanced Capabilities and Support for 107 Remote Commands

A sophisticated new variant of the Hook Android banking trojan has emerged, showcasing unprecedented capabilities that position it among the most advanced mobile malware families observed to date. This latest version, designated Hook Version 3, marks a significant evolution in Android banking malware sophistication, introducing a comprehensive arsenal of 107 remote commands, including 38 newly added functionalities that blur the traditional boundaries between banking trojans, ransomware, and spyware. The malware’s distribution strategy has expanded beyond conventional phishing websites to include GitHub repositories, where threat actors actively leverage the platform’s legitimacy to host and disseminate malicious APK files. This approach enhances the attackers’ credibility and broadens their reach, as victims are more likely to trust applications hosted on reputable platforms. The GitHub distribution method has also been observed hosting other malware families, including Ermac and Brokewell, indicating a systematic approach to malware-as-a-service operations.

Zimperium analysts have identified several groundbreaking capabilities that distinguish this variant from its predecessors, including ransomware-style overlay attacks, fraudulent NFC interfaces, and sophisticated lock screen bypass mechanisms. The malware maintains its foundation on Android Accessibility Services abuse while introducing transparent overlays for silent user gesture capture and real-time screen streaming capabilities, providing attackers with unprecedented device control. Hook Version 3’s most notable advancement lies in its sophisticated overlay attack system, which implements multiple deception layers to capture sensitive user data. The ransomware-style overlay functionality deploys full-screen warning messages demanding cryptocurrency payments, with wallet addresses and amounts dynamically retrieved from command-and-control servers. The embedded HTML content within the APK enables immediate deployment when the “ransome” command is received, while the “delete_ransome” command allows for remote dismissal. The fake NFC overlay system demonstrates the malware’s evolving capabilities through the “takenfc” command, which creates deceptive Near Field Communication scanning screens using fullscreen WebView overlays. Although the current implementation lacks complete JavaScript integration for data exfiltration, its presence indicates ongoing development toward comprehensive NFC-based social engineering attacks. Perhaps most concerning is the lock screen bypass mechanism, which combines overlay techniques with programmatic device unlocking. The “unlock_pin” command sequence acquires WakeLock privileges and performs swipe-up actions to facilitate unauthorised access. 

Categories: Mobile Malware, Banking Trojans, Cybersecurity Threats 

Tags: Hook, Android, Banking Trojan, Malware, GitHub, Overlay Attacks, Ransomware, Accessibility Services, NFC, Device Control