Cybersecurity researchers have sounded the alarm over a dangerous new version of the Android banking trojan HOOK, which now incorporates ransomware-style overlays to extort victims. The latest variant represents a major leap in functionality, blurring the lines between traditional banking malware, spyware, and ransomware.
“A prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which aims to coerce the victim into remitting a ransom payment,” said Vishnu Pratapagiri, a researcher at Zimperium zLabs. “This overlay presents an alarming ‘WARNING’ message, alongside a wallet address and amount, both of which are dynamically retrieved from the command-and-control server.”
Zimperium’s analysis revealed that attackers can remotely activate the overlay using a “ransome” command from the C2 server, and later remove it by issuing a “delete_ransome” command. HOOK, considered a successor to the leaked-source-code ERMAC trojan, continues to use fake overlay screens to steal credentials from financial apps and abuse Android accessibility services for fraud automation and remote device control.
The new HOOK variant now supports 107 remote commands, with 38 recently added features. These include deceptive overlays such as:
- takenfc: a fake NFC scanning screen to steal card data
- unlock_pin: a counterfeit unlock screen to capture device PINs and patterns
- takencard: a spoofed Google Pay overlay to extract credit card details
- start_record_gesture: transparent overlays to record user gestures
Beyond credential theft, HOOK also allows attackers to stream a victim’s screen, capture photos from the front-facing camera, send SMS messages, and steal cookies or cryptocurrency wallet recovery phrases. Distribution is widespread, relying on phishing sites and fake GitHub repositories—methods also used by malware families like ERMAC and Brokewell.
Zimperium warns: “The evolution of HOOK illustrates how banking trojans are rapidly converging with spyware and ransomware tactics, blurring threat categories.”
Meanwhile, researchers at Zscaler’s ThreatLabs reported that Anatsa, another Android banking trojan, has expanded its scope from 650 to over 831 banking and cryptocurrency apps worldwide, with particular focus on Germany and South Korea. Spread through dropper apps like fake file managers, Anatsa leverages corrupted archives to conceal its payloads and abuses accessibility services to gain extended privileges.
Zscaler also found 77 malicious apps on Google Play linked to families such as Anatsa, Joker, and Harly, collectively downloaded over 19 million times. As security researcher Himanshu Sharma noted: “Anatsa continues to evolve and improve with anti-analysis techniques to better evade detection.”
The findings underscore how Android banking trojans are rapidly evolving into multi-functional threats, posing growing risks to users, enterprises, and financial institutions alike.
