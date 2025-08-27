Aside from featuring a new ransomware overlay showing a payment demand and the attacker-controlled cryptocurrency wallet address, Hook's latest iteration has been imbued with bogus NFC scanning prompts for data exfiltration, fake PIN and pattern screens for lock screen evasion, transparent overlays for gesture interception, and covert screen-streaming capabilities, according to findings from Zimperium's zLabs. Operators of the malware are also expected to use RabbitMQ for command-and-control, as well as add Telegram-based functionality based on observed code. Attacks involving the new Hook variant have been facilitated by malicious GitHub repositories, at least one of which has already been removed. Such a development comes as ransomware and spyware techniques have been increasingly embraced by banking trojans.
More sophisticated Hook Android banking trojan emerges
Nearly 40 new remote commands, including those enabling ransomware-like compromise, have been integrated into the updated version of the Hook Android banking trojan, Infosecurity Magazine reports.
Aside from featuring a new ransomware overlay showing a payment demand and the attacker-controlled cryptocurrency wallet address, Hook's latest iteration has been imbued with bogus NFC scanning prompts for data exfiltration, fake PIN and pattern screens for lock screen evasion, transparent overlays for gesture interception, and covert screen-streaming capabilities, according to findings from Zimperium's zLabs. Operators of the malware are also expected to use RabbitMQ for command-and-control, as well as add Telegram-based functionality based on observed code. Attacks involving the new Hook variant have been facilitated by malicious GitHub repositories, at least one of which has already been removed. Such a development comes as ransomware and spyware techniques have been increasingly embraced by banking trojans.
