HOOK Android Trojan Adds Ransomware Features, Expands to 107 Commands

HOOK Android Trojan Adds Ransomware Features, Expands to 107 Commands

A new variant of the HOOK Android banking trojan has been discovered, marking a dangerous evolution in mobile malware.

🔍 What’s new?

• Ransomware-style overlays: Fullscreen ransom messages with dynamic wallet addresses and payment requests.
• Expanded control: Now supports 107 remote commands, including:
  • Fake NFC scans to steal card data
  • Fake PIN unlock prompts to capture device credentials
  • Transparent overlays to record gestures
  • Google Pay–like overlays to harvest card details
  • Screen streaming, SMS hijacking, camera access, cookie & crypto wallet theft

🕵️ Distributed via phishing sites and malicious GitHub repos, HOOK is believed to be an offshoot of ERMAC (whose code leaked publicly).

📉 Impact

• Converges banking trojan, spyware, and ransomware techniques
• Threatens both individual users and financial institutions
• Expands risk to enterprises as mobile endpoints become primary work devices

🔐 Defense

• Avoid sideloading apps or installing APKs outside official stores
• Monitor for suspicious overlays or permission requests
• Ensure up-to-date mobile security solutions are deployed

At Alcaeus Services, we help organizations detect, respond, and protect against rapidly evolving malware threats like HOOK, Anatsa, Joker, and Harly.