- Hook v3 uses fake Google Pay overlays to trick victims into surrendering sensitive card data
- Real-time screen streaming allows attackers to spy directly on victims
- GitHub repositories host malicious APKs, spreading advanced malware more widely
Hook v3, the latest variant of the long-running Hook Android banking trojan malware, introduces an unusually wide range of capabilities, experts have warned.
Researchers at Zimperium zLabs claim the malware now supports 107 remote commands, with 38 added in the latest update, and it continues to exploit Android Accessibility Services.
Its expanded functionality suggests a shift from narrow banking fraud to a more versatile threat platform - potentially putting many more victims at risk.
Ransomware overlays and deceptive prompts
In their report, the researchers outline how Hook v3 can steal personal data, hijack user sessions, and bypass device defenses.
“Hook v3 blurs the line between banking trojans, spyware, and ransomware,” said Nico Chiaraviglio, Chief Scientist at Zimperium.
“Its rapid evolution and wide-scale distribution elevate the threat to financial institutions, enterprises, and mobile users worldwide. This discovery reinforces the urgent need for proactive, on-device defenses.”
One of the defining additions is the use of ransomware-style overlays. Victims may encounter full-screen warnings that demand payment, a tactic more commonly associated with desktop ransomware.
Such attacks highlight the need for stronger ransomware protection on mobile devices, an area traditionally less emphasized.
Hook v3 also uses fake unlock screens that mimic legitimate PIN or pattern prompts.
Once users enter their details, attackers gain credentials to bypass lock screens. This combination of overlays and remote commands makes the malware especially intrusive.
The trojan now also incorporates fake NFC scanning screens and counterfeit payment card overlays.
These are designed to imitate legitimate services such as Google Pay, increasing the likelihood of unsuspecting users entering sensitive data.
Transparent overlays silently record gestures, while real-time streaming allows attackers to watch device activity as it happens.
By combining passive theft with active monitoring, Hook v3 demonstrates a layered approach to intrusion.
Although it does not directly launch distributed denial-of-service attacks, its broad command set reflects the same type of versatility that motivates investment in DDoS protection within wider cybersecurity strategies.
Hook v3 spreads through phishing websites, but malicious APKs have also been hosted openly on GitHub, which means attackers use widely trusted platforms to distribute malware.
That said, Hook still appears to be in development, with code fragments referencing RabbitMQ and Telegram.
Although there are signs of limited Telegram use for sending injection data, the absence of chat IDs or bot tokens suggests these functions remain unfinished.
You might also like
- These are the best temporary email services available
- We've also listed the best proxies for enterprises
- Hackers are now hiding malware in the images served up by LLMs
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.