Hook v3: The Banking Trojan That’s Evolving into a Hybrid Ransomware-Spyware Threat
The Android mobile ecosystem has been struck by a new wave of threats driven by the evolution of the HOOK banking trojan. The latest iteration of this malicious program has gained an expanded arsenal of capabilities, transforming it into a hybrid that merges the functions of spyware, ransomware, and remote device control.
Originally developed as a derivative of the ERMAC trojan—whose source code had previously leaked into the public domain—HOOK was initially designed to steal credentials from banking applications by overlaying fake login screens to intercept passwords and card details. The updated build, however, has significantly broadened its functionality.
The trojan now supports 107 remote commands, including 38 newly introduced ones, elevating it to a far more dangerous threat. Among its most striking features is the ability to display full-screen “encrypted” overlays, warning victims that their device has been locked and demanding a ransom. Payment details and cryptocurrency wallet addresses are dynamically retrieved from the command-and-control server, while the overlay itself is controlled remotely.
New functionalities include generating counterfeit screens to capture PIN codes or unlock patterns, imitating the Google Pay interface to harvest card credentials, deploying transparent overlays to record gestures, and even presenting fake NFC scanning windows to steal contactless card data.
Additionally, the trojan can stream the victim’s screen, capture images via the front-facing camera, intercept SMS messages, steal cookies, and extract recovery phrases for cryptocurrency wallets. Infections most often occur through phishing websites and fraudulent GitHub repositories hosting malicious APK files disguised as legitimate apps.
According to Zimperium, the widespread deployment of HOOK reflects a broader trend in which banking trojans increasingly blend the functions of spyware and ransomware, blurring the boundaries between threat categories. This strategy enables attackers not only to seize control of devices and steal money and personal data but also to lock users out of their smartphones, coercing them into paying a ransom.
Meanwhile, Zscaler reports rapid development of the Anatsa banking trojan, whose target list has expanded to 831 applications, including both banks and cryptocurrency services. Its distribution relies on fake file manager apps in Google Play that conceal malicious code. In total, 77 infected applications have been identified, among them Joker and Harly, collectively installed more than 19 million times.
The latest versions of HOOK and Anatsa underscore a broader trend: mobile trojans are evolving into all-in-one cyberweapons, combining financial theft, covert surveillance, extortion, and remote device control. The scale of the threat continues to grow, while distribution methods become increasingly sophisticated—intensifying the risks for users, financial institutions, and corporate networks alike.
