Zimperium’s zLabs research team has identified a new variant of the notorious Hook Android banking trojan, now equipped with some of the most advanced capabilities seen in mobile malware to date.

Dubbed Hook v3, this variant expands its arsenal to 107 remote commands, including 38 newly added,  enabling attackers to steal data, hijack sessions, and bypass device defences with unprecedented sophistication.

Among its most alarming new features:

• Ransomware-style overlays that display full-screen extortion messages.
• Fake NFC and payment card overlays to steal sensitive financial data.
• Lockscreen bypass through deceptive PIN and pattern prompts.
• Transparent overlays to silently capture user gestures.
• Real-time device streaming that allows attackers to monitor victims remotely.

In addition to phishing websites, Zimperium has observed Hook v3 being distributed via GitHub, where threat actors actively host malicious APK files.

Other families such as Ermac, Brokewell, and SMS spyware are also being disseminated through similar channels — highlighting a broader trend of open-source platforms being abused for malware distribution.

“Hook v3 blurs the line between banking trojans, spyware, and ransomware,” said Nico Chiaraviglio, Chief Scientist at Zimperium. “Its rapid evolution and wide-scale distribution elevate the threat to financial institutions, enterprises, and mobile users worldwide. This discovery reinforces the urgent need for proactive, on-device defences.”

The findings underscore how attackers continue to converge tactics across malware categories, creating threats that are more versatile and damaging than ever before.

To read more ZImperium news, click here.