Abstract illustration of an Android phone displaying a ransomware warning overlay with a lock icon, set against dark digital circuitry.

HOOK Android Trojan adds ransomware overlays and over 100 commands

by

RedSecNinja
in ,

OvOverview

Cyber‑security researchers at Zimperium have uncovered a dangerous new variant of the HOOK Android banking trojan that merges credential‑stealing capabilities with ransomware. The malware now supports 107 remote commands, including one that triggers a full‑screen ransomware overlay. The overlay displays an alarming warning message and a cryptocurrency wallet address drawn from the command‑and‑control (C2) server, pressuring the victim to pay a ransom【307030657827304†L61-L71】.

Originally derived from the ERMAC banking malware, HOOK has evolved into a multi‑purpose mobile threat. Like other Android banking trojans, it abuses accessibility services to take over the device, steal credentials and circumvent security checks【307030657827304†L80-L83】. The latest update adds 38 new commands that extend its reach into ransomware and spyware territory, blurring the lines between distinct threat families【307030657827304†L92-L98】.

Technical details

The new HOOK variant can now receive remote commands such as:

  • ransome / delete_ransome – display or remove a full‑screen ransomware overlay demanding payment【307030657827304†L100-L104】.
  • takenfc – spawn a fake NFC scanning screen to capture payment card data【307030657827304†L104-L106】.
  • unlock_pin / takencard – present fake unlock or Google Pay dialogs to collect device unlock patterns or credit‑card details【307030657827304†L105-L110】.
  • start_record_gesture – record user gestures by overlaying a transparent full‑screen window【307030657827304†L110-L112】.

These capabilities complement HOOK’s existing functions, which include sending SMS messages, streaming the victim’s screen, activating the front camera, and stealing cookies or cryptocurrency recovery phrases【307030657827304†L87-L90】. With the expanded command set, attackers can instruct the malware to display custom overlays, harvest sensitive data or even lock the device for extortion.

Impact and distribution

Zimperium’s researchers note that the trojan’s distribution has expanded significantly. Attackers host malicious APK files on phishing websites and bogus GitHub repositories, enticing users to sideload them【307030657827304†L113-L116】. HOOK’s convergence of banking‑trojan and ransomware techniques poses a growing risk to financial institutions, enterprises and individuals【307030657827304†L118-L122】. Because it hijacks accessibility services and monitors the screen, victims may not notice the malware’s actions until their credentials are stolen or their phone is locked.

Recommended actions

To reduce the risk of infection:

  1. Install apps only from official stores. Avoid sideloading APKs from untrusted websites or repositories.
  2. Disable unknown sources in Android settings and restrict accessibility permissions to apps that genuinely require them.
  3. Keep devices up to date and apply the latest Android security patches.
  4. Use a reputable mobile security solution to detect and block malicious apps.
  5. Educate users about phishing websites and suspicious prompts. If an app unexpectedly asks for accessibility access or overlays sensitive information, deny the request and uninstall the app.

Conclusion

The HOOK banking trojan’s transformation into a ransomware‑capable mobile threat illustrates how quickly malware authors adapt. By combining credential theft, device control and extortion in a single tool, HOOK increases the stakes for victims and defenders alike. Staying vigilant, limiting app permissions and sticking to trusted app stores remain the most effective defences against these evolving Android threats.erview

Cyber‑security researchers at Zimperium have uncovered a dangerous new variant of the HOOK Android banking trojan that merges credential‑stealing capabilities with ransomware. The malware now supports 107 remote commands, including one that triggers a full‑screen ransomware overlay. The overlay displays an alarming warning message and a cryptocurrency wallet address drawn from the command‑and‑control (C2) server, pressuring the victim to pay a ransom【307030657827304†L61-L71】.

Originally derived from the ERMAC banking malware, HOOK has evolved into a multi‑purpose mobile threat. Like other Android banking trojans, it abuses accessibility services to take over the device, steal credentials and circumvent security checks【307030657827304†L80-L83】. The latest update adds 38 new commands that extend its reach into ransomware and spyware territory, blurring the lines between distinct threat families【307030657827304†L92-L98】.

Technical details

The new HOOK variant can now receive remote commands such as:

  • ransome / delete_ransome – display or remove a full‑screen ransomware overlay demanding payment【307030657827304†L100-L104】.
  • takenfc – spawn a fake NFC scanning screen to capture payment card data【307030657827304†L104-L106】.
  • unlock_pin / takencard – present fake unlock or Google Pay dialogs to collect device unlock patterns or credit‑card details【307030657827304†L105-L110】.
  • start_record_gesture – record user gestures by overlaying a transparent full‑screen window【307030657827304†L110-L112】.

These capabilities complement HOOK’s existing functions, which include sending SMS messages, streaming the victim’s screen, activating the front camera, and stealing cookies or cryptocurrency recovery phrases【307030657827304†L87-L90】. With the expanded command set, attackers can instruct the malware to display custom overlays, harvest sensitive data or even lock the device for extortion.

Impact and distribution

Zimperium’s researchers note that the trojan’s distribution has expanded significantly. Attackers host malicious APK files on phishing websites and bogus GitHub repositories, enticing users to sideload them【307030657827304†L113-L116】. HOOK’s convergence of banking‑trojan and ransomware techniques poses a growing risk to financial institutions, enterprises and individuals【307030657827304†L118-L122】. Because it hijacks accessibility services and monitors the screen, victims may not notice the malware’s actions until their credentials are stolen or their phone is locked.

Recommended actions

To reduce the risk of infection:

  1. Install apps only from official stores. Avoid sideloading APKs from untrusted websites or repositories.
  2. Disable unknown sources in Android settings and restrict accessibility permissions to apps that genuinely require them.
  3. Keep devices up to date and apply the latest Android security patches.
  4. Use a reputable mobile security solution to detect and block malicious apps.
  5. Educate users about phishing websites and suspicious prompts. If an app unexpectedly asks for accessibility access or overlays sensitive information, deny the request and uninstall the app.

Conclusion

The HOOK banking trojan’s transformation into a ransomware‑capable mobile threat illustrates how quickly malware authors adapt. By combining credential theft, device control and extortion in a single tool, HOOK increases the stakes for victims and defenders alike. Staying vigilant, limiting app permissions and sticking to trusted app stores remain the most effective defences against these evolving Android threats.

Comments

Leave a comment