Cybersecurity experts have identified a new version of the Android banking trojan HOOK, now equipped with ransomware-style overlays that display full-screen extortion messages. These overlays show a warning, wallet address, and ransom amount, all pulled from a remote server. Attackers can activate or remove the overlay using specific commands.
HOOK is a modified version of the ERMAC trojan, whose source code was previously leaked online. Like other Android banking malware, HOOK can steal credentials by overlaying fake screens on financial apps and exploiting accessibility services to control devices. It also sends SMS messages, streams screens, takes photos, and steals crypto wallet data.
The latest HOOK update adds 38 new commands, totaling 107. These include fake NFC scans, lockscreen prompts to steal PINs, and overlays that mimic Google Pay to capture card details. Distribution is widespread through phishing sites and fake GitHub repositories, alongside other malware like Brokewell and ERMAC.
Researchers warn that HOOK is merging features of spyware and ransomware, increasing its threat to users and institutions.
Anatsa Trojan Expands Reach
Meanwhile, Zscaler reports that the Anatsa banking trojan now targets over 831 financial and crypto services globally. It spreads via apps disguised as file managers and uses corrupted archives to hide its payload. Anatsa abuses accessibility permissions to gain control and display overlays.
Zscaler found 77 malicious apps on Google Play linked to Anatsa, Joker, and Harly, with over 19 million installs. Harly, a Joker variant, was found in 95 apps earlier this year. Anatsa continues to evolve, adding support for over 150 new financial apps and using advanced evasion techniques.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
