{"id":2496,"date":"2025-08-26T19:54:25","date_gmt":"2025-08-26T19:54:25","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/08\/26\/new-android-trojan-variant-expands-with-ransomware-tactics\/"},"modified":"2025-08-26T19:54:25","modified_gmt":"2025-08-26T19:54:25","slug":"new-android-trojan-variant-expands-with-ransomware-tactics","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/08\/26\/new-android-trojan-variant-expands-with-ransomware-tactics\/","title":{"rendered":"New Android Trojan Variant Expands with Ransomware Tactics"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>A new version of the Hook Android banking Trojan has surfaced, showcasing one of the most extensive feature sets ever recorded for mobile malware.<\/p>\n<p>Researchers at Zimperium\u2019s zLabs identified the variant, which now supports 107 remote commands \u2013 of which 38 are newly introduced.<\/p>\n<p>The upgraded malware goes beyond financial theft, adopting ransomware-style methods and advanced surveillance tools.<\/p>\n<p>Among its latest functions are:<\/p>\n<ul>\n<li>\n<p>Ransomware overlays that coerce users into making payments<\/p>\n<\/li>\n<li>\n<p>Fake NFC scanning prompts designed to steal sensitive data<\/p>\n<\/li>\n<li>\n<p>Lock screen bypass using deceptive PIN and pattern screens<\/p>\n<\/li>\n<li>\n<p>Transparent overlays for capturing gestures<\/p>\n<\/li>\n<li>\n<p>Real-time screen-streaming for full monitoring<\/p>\n<\/li>\n<\/ul>\n<p>\u201cThe campaign is operating on a truly global scale,\u201d warned\u00a0Frankie Sclafani, director of cybersecurity enablement at Deepwatch.<\/p>\n<p>\u201cThe detection count has more than doubled in just two weeks, reflecting a rapid and aggressive growth pattern.\u201d<\/p>\n<p><em>Read more on Android malware threats: Android Malware Targets Banking Users Through Discord Channels<\/em><\/p>\n<p>Unlike previous campaigns that relied mainly on phishing sites, Hook\u2019s operators are now spreading malicious APK files through GitHub repositories.<\/p>\n<p>Zimperium reported that other malware families, including Ermac, Brokewell and various SMS spyware strains, are also being distributed this way.<\/p>\n<p>\u201cThis phishing campaign is tricky because it personalizes fake websites with the victim\u2019s own email and company logo, making the scam look real,\u201d\u00a0explained\u00a0J Stephen Kowski, field CTO at SlashNext.<\/p>\n<p>\u201cThe malicious files delivered are not just for stealing passwords but for installing powerful remote access tools that give attackers long-term control.\u201d<\/p>\n<p>Zimperium confirmed Hook also continues to exploit Android Accessibility Services for automated fraud and device control.<\/p>\n<p>As mentioned above, its most alarming new feature is a ransomware overlay that displays a payment demand with a cryptocurrency wallet address controlled by attackers. Fake credit card forms, mimicking services like Google Pay, are also used to harvest payment information.<\/p>\n<p>Code references found in the Trojan suggest its developers may add RabbitMQ for more resilient command-and-control (C2) communications. There are also traces of Telegram-based functionality under development, though these features remain incomplete.<\/p>\n<p>Zimperium stated that it has collaborated with industry partners to remove at least one GitHub repository associated with distribution of the malware.<\/p>\n<p>The rapid evolution of Hook underscores how traditional banking Trojans are adopting spyware and ransomware tactics.<\/p>\n<p>As Sclafani concluded, \u201cthis is a complete attack process designed to secretly install a persistent malicious payload inside your network,\u201d\u00a0making it a growing concern for enterprises and individuals alike.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>A new version of the Hook Android banking Trojan has surfaced, showcasing one of the most extensive feature sets ever recorded for mobile malware. Researchers at Zimperium\u2019s zLabs identified the variant, which now supports 107 remote commands \u2013 of which 38 are newly introduced. The upgraded malware goes beyond financial theft, adopting ransomware-style methods and<\/p>\n","protected":false},"author":2,"featured_media":2497,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2496","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2496-7998e0bf-c1cc-4c5c-9a3e-06ddea585075.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2496-7998e0bf-c1cc-4c5c-9a3e-06ddea585075-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2496-7998e0bf-c1cc-4c5c-9a3e-06ddea585075.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2496-7998e0bf-c1cc-4c5c-9a3e-06ddea585075.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2496-7998e0bf-c1cc-4c5c-9a3e-06ddea585075.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2496-7998e0bf-c1cc-4c5c-9a3e-06ddea585075.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2496-7998e0bf-c1cc-4c5c-9a3e-06ddea585075.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2496-7998e0bf-c1cc-4c5c-9a3e-06ddea585075.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2496-7998e0bf-c1cc-4c5c-9a3e-06ddea585075.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2496-7998e0bf-c1cc-4c5c-9a3e-06ddea585075.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2496-7998e0bf-c1cc-4c5c-9a3e-06ddea585075-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"http:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2496","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2496"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2496\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2497"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2496"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2496"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2496"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}