Security researchers have identified a new variant of the HOOK Android banking trojan that adds ransomware-style overlay screens to extort victims. Zimperium zLabs described the variant as capable of deploying a full-screen ransomware overlay, with a dynamically retrieved wallet address and ransom amount served by its command-and-control (C2) server.
The overlay is remotely initiated when the C2 server issues the “ransome” command and can be dismissed by sending the “delete_ransome” command. The overlay is designed to appear atop banking apps to pressure victims to pay, with the wallet address and amount displayed as provided by the C2 server.
HOOK is regarded as an offshoot of ERMAC, a banking trojan whose source code was reportedly leaked in a publicly accessible directory. While the article links to related coverage, the current report does not include links to that source domain.
Beyond overlays, HOOK can perform a range of malicious actions, including sending SMS messages, streaming the victim’s screen, capturing photos with the front-facing camera, and stealing cookies and recovery phrases associated with cryptocurrency wallets.
The latest version expands its command set to 107 remote commands, with 38 newly added. Capabilities include serving transparent overlays to capture user gestures, fake NFC overlays to trick victims into sharing data, and deceptive prompts to obtain lockscreen PINs or patterns.
HOOK is believed to be distributed on a broad scale via phishing websites and bogus APKs hosted on repositories. The campaign has been observed alongside other Android malware families such as Anatsa and Joker, underscoring a broader trend among threat actors to blend banking fraud with spyware and ransomware techniques.
“The evolution of HOOK illustrates how banking trojans are rapidly converging with spyware and ransomware tactics, blurring threat categories,” Zimperium noted. “With continuous feature expansion and broad distribution, these families pose a growing risk to financial institutions, enterprises, and end users alike.”
Separately, Zscaler ThreatLabs detailed an updated version of the Anatsa banking trojan that now targets more than 831 banking and cryptocurrency services worldwide, up from 650 previously. The researchers describe Anatsa as leveraging Android accessibility services to gain additional permissions and to draw overlays for data theft and remote control.
In Google Play, researchers identified 77 malicious apps from various adware, maskware, and malware families – including Anatsa, Joker and Harly – accounting for more than 19 million installations. Maskware refers to apps that masquerade as legitimate titles while concealing malicious functionality; Google’s policy guidance on.
Security researchers advise users and organizations to stay vigilant for new overlays, prompts, and deployment tricks that could indicate HOOK or similar threats, as the convergence of banking trojans with spyware and ransomware continues to accelerate.