The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Hook Android Banking Trojan Evolves

Sep 2, 2025 12:52:33 PM / by The Hivemind

Hook AndroidVerticals Targeted: Financial, Enterprises
Regions Targeted: Not specified
Related Families: Ermac, Brokewell

Executive Summary

Hook Version 3 is an advanced Android banking trojan with ransomware, phishing, and lockscreen bypass capabilities, posing significant risks to financial institutions and enterprises. Its distribution via phishing websites and GitHub amplifies its reach, necessitating robust mobile threat defenses.  

Key Takeaways

  • Hook version 3 introduces ransomware-style and fake NFC overlays to extort and steal sensitive data.  
  • This new Hook variant leverages deceptive lockscreen interfaces and gesture capture for unauthorized device access.  
  • Hook version 3 supports 107 remote commands, including 38 new ones, enhancing attacker control.  
  • It is distributed through GitHub repositories alongside other malware like Ermac and Brokewell.  

What is Hook?

The new iteration of the Hook Android banking trojan, Hook Version 3, showcases a significant leap in malicious capabilities targeting financial institutions, enterprises, and individual users. This variant integrates advanced techniques that blur the lines between banking trojans, spyware, and ransomware, making it a formidable threat in the mobile malware landscape. Zimperium recently reported on the new Hook variant.   

Hook Version 3 leverages Android Accessibility Services to automate fraudulent activities and gain remote control over infected devices. With a command set expanded to 107, including 38 newly introduced commands, attackers can execute a wide range of malicious actions, from data theft to session hijacking and device manipulation. The malware’s distribution is notably sophisticated, utilizing phishing websites and GitHub repositories to host malicious APK files, a method also observed with related malware families such as Ermac, Brokewell, and various SMS spyware trojans.  

A standout feature of Hook Version 3 is its ransomware-style overlay, which displays a full-screen extortion message with a dynamically retrieved wallet address and ransom amount from the command-and-control (C2) server. This overlay, triggered by the “ransome” command and dismissible via “delete_ransome,” aims to coerce victims into making payments. Additionally, the malware employs fake NFC overlays through the “takenfc” command, presenting a deceptive scanning interface to capture sensitive user inputs, though the current HTML lacks the JavaScript to fully exfiltrate data, indicating ongoing development.  

The trojan’s ability to bypass device lockscreen security is particularly concerning. By deploying overlays that mimic legitimate PIN or pattern entry screens, Hook captures credentials to unlock devices. The “unlock_pin” command further automates this process by simulating swipe gestures and PIN inputs, granting attackers full control. Another phishing overlay, activated by the “takencard” command, mimics Google Pay to steal credit card details via a fraudulent WebView form, which transmits captured data back to the C2 server.  

Hook Version 3 also introduces stealthy screen-streaming through commands like “start_vnc” and “start_hvnc,” enabling real-time monitoring of victim activities. Transparent overlays, initiated by “start_record_gesture,” silently capture user gestures, enhancing the malware’s ability to mimic legitimate interactions. The presence of strings referencing RabbitMQ, a message broker for C2 communications, suggests potential future enhancements for more resilient and scalable operations, though not yet active. Similarly, incomplete Telegram integration hints at additional C2 channels under development. PolySwarm analysts consider Hook to be an evolving threat. 

IOCs

PolySwarm has multiple samples of the new Hook variant.

 

1759b9ba03dde81b6513df437fffc722d0f21a5d12226740d30b429a4b6ff289

2249a99fca7979aec3dc51b7d66fbf37330b370b304ec82d9a576f7a34f90aca

3cc1d9fa085ef9a9aed08e69a6ab4ab3425bbb43761278885276e75886a429da

b41acbe10cbf4c3255179667e4855f3da056323bde63160cdc113edb7db65e19

1d1c5de7716ca5cc9156ca1b31763dd8de2a60e35d2d95c3601c882debdf9ae0

cb7785b2c918df23372c0be9a1acd7f40b1e0f1fcbc6f7462dd5af1cd7168f0a

dbc6e6f00391286d353cbe89ca265e6000bc767b850e3c2d26234cc91c40c6b3

ebe9e353527ba067284c8148cf4ffb134d674d9ef5763dbeafb94a2c7dcc6ed5

 

You can use the following CLI command to search for all Hook samples in our portal:

$ polyswarm link list -f Hook

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Evolving Threat, Android Malware, ransomware overlay, fake NFC overlay, phishing overlay, Accessibility Services abuse, lockscreen bypass, GitHub malware distribution, financial sector threats, Hook banking trojan

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts