Cybersecurity researchers have identified a new variant of the HOOK Android banking trojan that introduces ransomware-style functionality to its arsenal. Traditionally focused on stealing banking credentials through fake overlays, HOOK now has the ability to display a full-screen ransomware overlay that locks the user’s screen until a ransom is paid. The dynamically generated overlay, triggered remotely via the attacker’s command-and-control server, presents a threatening “WARNING” message alongside a cryptocurrency wallet address and demanded payment amount. Attackers can just as easily dismiss the overlay using a “delete_ransome” command, highlighting the sophistication of remote control in this latest iteration.
Believed to be an offshoot of the ERMAC trojan—whose leaked source code has fueled derivative malware families—HOOK has steadily evolved into a multi-functional threat platform. Beyond credential theft, the trojan now supports 107 remote commands, including 38 newly added ones. These capabilities include fake NFC screens to trick users into revealing card data, deceptive prompts to capture lockscreen PINs, overlays that mimic Google Pay to steal credit card details, and transparent overlays to record gestures. The malware also abuses Android’s accessibility services to take full control of infected devices, send SMS messages, stream live screens, capture photos, and steal cryptocurrency wallet recovery phrases.
The malware making a request. Source: zimperium.com.
Researchers warn that HOOK’s distribution methods are just as concerning. The trojan is spread through phishing websites and bogus GitHub repositories hosting malicious APK files, a tactic also used by other Android malware families like ERMAC and Brokewell. This distribution approach widens HOOK’s reach and increases the likelihood of unsuspecting users downloading infected apps disguised as legitimate utilities. With its growing capabilities, HOOK represents a merging of ransomware, spyware, and financial fraud tactics—making it a versatile and dangerous threat.
The findings also come alongside updates to Anatsa, another banking trojan that has expanded its targets to over 831 financial and cryptocurrency services worldwide. Like HOOK, Anatsa abuses accessibility services and overlays, further underscoring how Android malware continues to evolve rapidly, evading detection and broadening its victim pool. With more than 19 million installs of malicious apps identified across Google Play, Android’s threat landscape is becoming increasingly hostile.
The evolution of HOOK shows how mobile banking trojans are blurring the lines between ransomware, spyware, and credential theft, creating a higher level of risk for individuals and financial institutions alike. Android users should exercise extreme caution when downloading apps, avoid sideloading APKs from unverified sources, and carefully monitor permissions requested by installed apps. For organizations, stronger mobile device management, threat intelligence monitoring, and user awareness training are critical to defending against this new breed of hybrid malware.
