New Hook Android Banking Malware With New Advanced Capabilities and Supports 107 Remote Commands

A sophisticated new variant of the Hook Android banking trojan has emerged with unprecedented capabilities that position it among the most advanced mobile malware families observed to date.

This latest version, designated Hook Version 3, represents a significant evolution in Android banking malware sophistication, introducing a comprehensive arsenal of 107 remote commands with 38 newly added functionalities that blur the traditional boundaries between banking trojans, ransomware, and spyware.

The malware’s distribution strategy has expanded beyond conventional phishing websites to include GitHub repositories, where threat actors are actively leveraging the platform’s legitimacy to host and disseminate malicious APK files.

This approach provides attackers with enhanced credibility and broader reach, as victims are more likely to trust applications hosted on reputable platforms.

The GitHub distribution method has also been observed hosting other malware families including Ermac and Brokewell, indicating a systematic approach to malware-as-a-service operations.

Zimperium analysts identified several groundbreaking capabilities that distinguish this variant from its predecessors, including ransomware-style overlay attacks, fraudulent NFC interfaces, and sophisticated lock screen bypass mechanisms.

The malware maintains its foundation on Android Accessibility Services abuse while introducing transparent overlays for silent user gesture capture and real-time screen streaming capabilities that provide attackers with unprecedented device control.

Advanced Overlay Attack Mechanisms

Hook Version 3’s most notable advancement lies in its sophisticated overlay attack system, which implements multiple deception layers to capture sensitive user data.

The ransomware-style overlay functionality deploys full-screen warning messages demanding cryptocurrency payments, with wallet addresses and amounts dynamically retrieved from command-and-control servers.

The embedded HTML content within the APK enables immediate deployment when the “ransome” command is received, while the “delete_ransome” command allows remote dismissal.

The fake NFC overlay system demonstrates the malware’s evolving capabilities through the “takenfc” command, which creates deceptive Near Field Communication scanning screens using fullscreen WebView overlays.

Although the current implementation lacks complete JavaScript integration for data exfiltration, its presence indicates ongoing development toward comprehensive NFC-based social engineering attacks.

Perhaps most concerning is the lock screen bypass mechanism, which combines overlay techniques with programmatic device unlocking.

The “unlock_pin” command sequence acquires WakeLock privileges, performs swipe-up gestures to reveal lock screens, and systematically inputs captured PINs through simulated button presses, effectively circumventing Android’s primary security barrier and granting attackers complete device access for subsequent malicious activities.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.