{
	"id": "49148741-4494-4924-9dfb-50fdbd0ebd52",
	"created_at": "2026-04-06T00:22:12.767729Z",
	"updated_at": "2026-04-10T03:20:04.774116Z",
	"deleted_at": null,
	"sha1_hash": "7818ef59de29da9459e54601d50bfe2a6f0fa5a1",
	"title": "Hook Version 3: The Banking Trojan with The Most Advanced Capabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2105867,
	"plain_text": "Hook Version 3: The Banking Trojan with The Most Advanced\r\nCapabilities\r\nBy Vishnu Pratapagiri\r\nPublished: 2025-08-25 · Archived: 2026-04-05 16:58:09 UTC\r\nExecutive Summary\r\nZimperium’s zLabs research team has uncovered a new variant of the Hook Android banking trojan, now\r\nfeaturing some of the most advanced capabilities we’ve seen to date. This version introduces:\r\nRansomware-style overlays that display extortion messages\r\nFake NFC overlays to trick victims into sharing sensitive data\r\nLockscreen bypass via deceptive PIN and pattern prompts\r\nTransparent overlays to silently capture user gestures\r\nStealthy screen-streaming sessions for real-time monitoring\r\nIn total, the malware now supports 107 remote commands — with 38 newly added in this update.\r\nThere is growing evidence that the malware is being distributed on a large scale, not only through phishing\r\nwebsites but also via GitHub, where threat actors are actively leveraging the platform to host and spread malicious\r\nAPK files.\r\nDistribution Methods\r\nWe have been actively monitoring multiple GitHub repositories and have observed both old and new variants of\r\nmalware such as Hook and Ermac being hosted (Figure 1). It is also evident that this method of distribution is not\r\nlimited to these families alone, other malware strains like Brokewell and various SMS spyware trojans are also\r\nbeing disseminated through the same channels.\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 1 of 21\n\nFig.1: Threat actors hosting different malware on github repository\r\nTechnical analysis\r\nAs with prior versions, Hook abuses Android Accessibility Services to automate fraud and control devices\r\nremotely. The difference: its growing command set and overlay techniques give attackers even more flexibility in\r\nstealing data, hijacking sessions, and bypassing defenses.\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 2 of 21\n\nFig.2: Malware requesting accessibility services to the victim\r\nNew Capabilities in Hook v3\r\nIn this section we analyse some of the most notorious new commands Hook implements. However, the complete\r\nlist of commands utilized by Hook v3 is presented in the table after the conclusion of this document, owing to its\r\nextensive nature.\r\nRansomware-style overlay\r\nA prominent characteristic of the latest variant is its capacity to deploy a full-screen ransomware overlay, which\r\naims to coerce the victim into remitting a ransom payment. This overlay presents an alarming \"*WARNING*\"\r\nmessage (Figure 3), alongside a wallet address and amount, both of which are dynamically retrieved from the\r\ncommand-and-control server. The requisite HTML content for displaying this on the victim's screen is embedded\r\nwithin the APK itself. This behavior is remotely initiated when the malware receives the ransome command from\r\nthe C2. Furthermore, the attacker possesses the capability to remotely dismiss the overlay from the victim’s screen\r\nby issuing a \"delete_ransome\" command.\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 3 of 21\n\nFig.3: Ransomware style overlay\r\nFake NFC Overlay\r\nThe takenfc command is used by Android malware to display a fake NFC (Figure 4) scanning screen using a\r\nfullscreen WebView overlay. While the code sets up a JavaScript interface to capture user input, the current\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 4 of 21\n\nHTML does not include the injected JavaScript needed to collect and send sensitive data to the attacker. This\r\nshows how attackers are planning to keep adding capabilities to the malware.\r\nFig.4: Fake NFC overlay\r\nStealing Device Lock Screen and Automating Pin Unlocking\r\nThe malware leverages an overlay technique that places a deceptive interface over the device’s lock screen. This\r\noverlay mimics the legitimate unlock pattern or PIN (Figure 5) entry screen, tricking users into entering their\r\ncredentials. By capturing the unlock pattern or PIN, the attackers gain unauthorized access to the device,\r\neffectively bypassing the lock screen security and taking full control.\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 5 of 21\n\nFig.5: Overlays for stealing device lock screen\r\nThe unlock_pin command can programmatically unlock the device by simulating user interaction. It first acquires\r\na WakeLock to wake the device, performs a swipe-up gesture to reveal the lock screen, and then inputs a PIN\r\nreceived from the payload. Each digit is clicked individually, followed by simulated taps on various confirmation\r\nbuttons (e.g., \"OK\", \"Enter\", \"Submit\", including variants in different languages and symbols)\r\nFraudulent Phishing Overlay Used to Steal Card Information\r\nThe malware displays an overlay to steal credit card information whenever a takencard command is received\r\nfrom the server. It creates a full-screen WebView overlay (Figure 6) that mimics a legitimate interface and loads a\r\nfake HTML form.This HTML file mimics Google Pay to capture sensitive user input like card details or PIN\r\nentered in the form, then sends that data back to the server.\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 6 of 21\n\nFig.6: Phishing overlay page mimicking Google Pay\r\nStill Cooking: Hints of Wider Plans?\r\nThe first version of Hook was published by ThreatFabric (Figure 7), with the malware’s name explicitly present\r\nin the code. Later, NCC Group released a comparison between Hook and Ermac and shared details on a newer\r\nvariant. In this updated version, the threat actors had modified the logging strings (Figure 8).\r\nDuring our analysis of the latest banker variant, we identified several noteworthy strings being initialized,\r\nincluding RABBITMQ_SERVER (Figure 9) along with hardcoded usernames and passwords. RabbitMQ is a\r\ndedicated message broker that manages queues and messages between clients and servers, offering a more reliable\r\nand flexible C2 channel compared to basic HTTP or WebSocket communication.\r\nAlthough the current build does not actively leverage RabbitMQ, its presence suggests that future versions of the\r\nmalware could be configured to utilize this infrastructure, potentially enhancing resilience and scalability in C2\r\noperations.\r\nFig.7: Hook1\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 7 of 21\n\nFig8: Hook2\r\nFig.9: Hook3\r\nUse of Telegram?\r\nThe malware seems to be still developing a few more features which includes the use of telegram for C2\r\ncommunication (Figure 9), although we have seen the use of telegram in an instance to send injection (Figure 10)\r\ntype and injection data but we did not see any traces of chatid or bot token which strongly suggests that the\r\nmalware is still developing few more features.\r\n🇕 New inject+++++ | 🆔 UID: #\u003cdevice_uid\u003e | 📲 Application: \u003capplication_name\u003e | 🔑 Type: \u003ctype_injects\u003e |\r\n📌 Field1: value1 | 📌 Field2: value2\r\nFig.10: Fields that are used to send to telegram\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 8 of 21\n\nZimperium vs. Hook\r\nZimperium’s Mobile Threat Defense (MTD) and Mobile Runtime Protection (zDefend) protects against\r\nHook and other advanced banking trojans through on-device dynamic detection engine, even if malware is\r\nsideloaded from phishing sites or GitHub.\r\nIn addition to providing protection for our customers, Zimperium collaborated with industry stakeholders to help\r\nremove the malicious repository from which Hook was being distributed. This takedown significantly reduced the\r\nthreat actor’s operational capabilities.\r\nWhy This Matters\r\nThe evolution of Hook illustrates how banking trojans are rapidly converging with spyware and ransomware\r\ntactics, blurring threat categories. With continuous feature expansion and broad distribution, these families pose a\r\ngrowing risk to financial institutions, enterprises, and end users alike.\r\nZimperium customers are protected against Hook and its variants through on-device detection and behavioral\r\nanalysis.\r\nMITRE ATT\u0026CK Techniques\r\nTactic ID Name Description\r\nInitial\r\nAccess\r\nT1660 Phishing\r\nAdversaries host phishing websites or host apk’s in\r\ngithub\r\nPersistance T1624.001\r\nEvent Triggered\r\nExecution: Broadcast\r\nReceivers\r\nIt creates a broadcast receiver to receive SMS\r\nevents\r\nPrivilege\r\nEscalation\r\nT1626.001\r\nAbuse Elevation\r\nControl Mechanism:\r\nDevice Administrator\r\nPermissions\r\nMalware is capable of factory reset, reset device\r\npin/password, Disable lockscreen, Can watch login\r\nattempts from victim\r\nDefense\r\nEvasion T1655.001\r\nMasquerading: Match\r\nLegitimate Name or\r\nLocation\r\nMalware pretending to be google chrome and\r\nmany other legit applications\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 9 of 21\n\nT1630.001\r\nIndicator Removal on\r\nHost: Uninstall\r\nMalicious Application\r\nMalware can uninstall itself\r\nT1629.002 Device Lockout\r\nMalware can lockout victim through the device by\r\nDevicePolicyManager.lockNow()\r\nT1516 Input Injection\r\nMalware can mimic user interaction, perform\r\nclicks and various gestures, and input data\r\nT1406.002\r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\nIt is using obfuscation and packers (JSONPacker)\r\nto conceal its code.\r\nCredential\r\nAccess\r\nT1517 Access Notifications\r\nThe malware leverages Android\r\nNotificationListenerService to intercept OTPs and\r\nsensitive data from notifications, dismissing or\r\nmanipulating them to avoid user detection.\r\nT1414 Clipboard Data It extracts data stored on the clipboard.\r\nT1417.001\r\nInput Capture:\r\nKeylogging\r\nIt has a keylogger feature\r\nT1417.002\r\nInput Capture: GUI\r\nInput Capture\r\nIt is able to get the shown UI.\r\nDiscovery\r\nT1420\r\nFile and Directory\r\nDiscovery\r\nlists the files at a specified path (additional\r\nparameter “ls”), or downloads a file from the\r\nspecified path (additional parameter “dl”)\r\nT1430 Location Tracking Malware can track victim’s location\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 10 of 21\n\nT1418 Software Discovery Malware collects installed application package list\r\nT1421\r\nSystem Network\r\nConnections\r\nDiscovery\r\nAdversaries may attempt to get a listing of network\r\nconnections to or from the compromised device\r\nT1426\r\nSystem Information\r\nDiscovery\r\nThe malware collects basic device info.\r\nCollection\r\nT1517 Access Notifications\r\nIt registers a receiver to monitor incoming SMS\r\nmessages\r\nT1513 Screen Capture Malware can record screen content\r\nT1533\r\nData from Local\r\nSystem\r\nMalware can access photos from the device\r\nT1512 Capture Camera Malware opens camera and takes pictures\r\nT1429 Audio Capture Malware captures Audio recordings\r\nT1616 Call Control Malware can make calls\r\nT1636.002\r\nProtected User Data:\r\nCall Log\r\nMalware steals call logs\r\nT1636.003\r\nProtected User Data:\r\nContact List\r\nIt exports the device’s contacts.\r\nT1636.004\r\nProtected User Data:\r\nSMS Messages\r\nSteals SMSs from the infected device\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 11 of 21\n\nT1409\r\nStored Application\r\nData\r\nHook can request the GET_ACCOUNTS\r\npermission to get the list of accounts on the device,\r\nT1417.001\r\nInput Capture:\r\nKeylogging\r\nMalware can capture keystrokes\r\nT1417.002\r\nInput Capture: GUI\r\nInput Capture\r\nIt is able to get the shown UI.\r\nT414 Clipboard Data It has the ability to steal data from the clipboard.\r\nT1616 Call Control TA can forward call from the device\r\nCommand\r\nand Control\r\nT1616 Call Control TA can forward call from the device\r\nT1637 Dynamic Resolution\r\nIt receives the injected HTML payload endpoint\r\ndynamically from the server.\r\nT1481.002\r\nWeb Service:\r\nBidirectional\r\nCommunication\r\nIt uses websocket communication to poll the TA’s\r\nserver and get the commands to execute.\r\nExfiltration T1646\r\nExfiltration Over C2\r\nChannel\r\nSending exfiltrated data over C\u0026C server\r\nImpact T1616 Call Control TA can make and block call in the device\r\nT1516 Input Injection\r\nIt displays inject payloads like pattern lock and\r\nmimics banking apps login screen through overlay\r\nand steal credentials.\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 12 of 21\n\nT1582 SMS Control It can read and send SMS.\r\nIndicators of Compromise\r\nThe full list of IOCs can be found in this repository.\r\nHook Command List\r\nCommand Description\r\naction_recorded_gesture\r\nExecutes remote gesture commands via AccessibilityService to simulate\r\nuser actions on the device.\r\nstart_vnc Starts capturing the victim’s screen constantly (streaming)\r\nstartussd Executes a given USSD code on the victim’s device\r\nget_unlockpass resets the unlock password status to false.\r\nsend_sms_many Sends an SMS message to multiple phone numbers\r\nswipeup Perform a swipe up gesture\r\ntakescreenshot Takes a screenshot of the victim’s device\r\nbitcoincom Launches the Bitcoin Wallet app\r\nclickatcontaintext Clicks on the UI element that contains the payload text\r\nstart_hvnc\r\nstarts an HVNC session by simulating a swipe gesture and sends device/app info\r\nto the attacker’s server.\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 13 of 21\n\nstart_perm Requests necessary permissions and logs of all, some, or none are granted\r\nstartadmin\r\nSets the “start_admin” shared preference key to value 1, which is probably used\r\nas a check before attempting to gain Device Admin privileges\r\ndelete_pincodep Removes PIN input overlay from top of the screen\r\ntakenfc Places NFC overlay on top of the screen\r\nstart_record_gesture Starts recording user gesture by displaying a transparent full screen overlay\r\nremovewaitview\r\nRemoves the “wait / loading” view that is displayed on the victim’s device\r\nbecause of the “addwaitview” command\r\ncookie Steals session cookies (targets victim’s Google account)\r\nexodus\r\nStarts the Exodus Wallet application (and steals seed phrases as a result of\r\nstarting this application, as observed during analysis of the accessibility service)\r\nclearcash\r\nSets the “autoClickCache” shared preference key to value 1, and launches the\r\n“Application Details” setting for the specified app (probably to clear the cache)\r\nstop_textview Triggers action to stop text view\r\nupdateinjectandlistapps\r\nGets a list of the currently installed apps on the victim’s device, and downloads\r\nthe injection target lists\r\nlogaccounts Gets a list of the accounts on the victim’s device by their name and account type\r\nmetamask Launches the Metamask Wallet app\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 14 of 21\n\npincodep Places an overly for Pincode\r\nscrollup Performs a scroll up gesture\r\ngetlocation Gets the geographic coordinates (latitude and longitude) of the victim\r\nstop_record_gesture\r\nStops the gesture recording and removes the overlay, packages recorded data\r\ninto json and resets it again\r\nmycelium Launches the Mycelium Wallet app\r\nswipePattern\r\nParses a list of points from json which are received from the server and converts\r\nthem into integer coordinate pairs representing a swipe pattern\r\nrestart3 Restarts the accessibility services\r\nrestart4 Same as restart3\r\ngetinstallapps Gets a list of the installed apps on the victim’s device\r\ngetaccounts Gets a list of the accounts on the victim’s device by their name and account type\r\nonpointerevent\r\nSets X and Y coordinates and performs an action based on the payload text\r\nprovided. Three options: “down”, “continue”, and “up”. It looks like these\r\npayload texts work together, as in: it first sets the starting coordinates where it\r\nshould press down, then it sets the coordinates where it should draw a line to\r\nfrom the previous starting coordinates, then it performs a stroke gesture using\r\nthis information\r\ndeleteapplication Uninstalls a specified application received from the server\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 15 of 21\n\ntap Dispatches a tap gesture at the specified coordinates\r\nkill kills the current running process of the app\r\npiuk Launches the Blockchain Wallet app\r\npush Displays a push notification with app name,title,text from the server\r\ndownloadimage Downloads an image from the victim’s device\r\nmakecall Calls the number specified from the payload received from the server\r\nopenwhatsapp Sends a message through Whatsapp to the specified number\r\nscrolldown Performs a scroll down gesture\r\nswipe Performs a swipe gesture with the specified 4 coordinates\r\ntoshi Launches the Coinbase Wallet app\r\ntrust Launches the Trust Wallet app\r\nwidth\r\nExtracts “width” value from the payload then converts it to integer and saves it\r\nto “image_width” in the sharedprefs\r\ndelete_patternp Removes overlay of pattern\r\nlongpress Dispatches a long press gesture at the specified coordinates\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 16 of 21\n\naddviewhvnc Displays a transparent overlay on screen with a message “please wait”\r\nswiperight Performs a swipe right gesture\r\ncalling\r\nCalls the number specified in the “number” payload, tries to lock the device and\r\nattempts to hide and mute the application\r\nforwardsms\r\nSets up an SMS forwarder to forward the received and sent SMS messages from\r\nthe victim device to the specified number in the payload\r\nquality Sets and saves the image quality settings for the VNC\r\ngetcallhistory Gets a log of the calls that the victim made\r\nclickat Clicks at a specific UI element\r\nclicker\r\nSimulates a gesture(tap or series of taps) on the screen with specified points and\r\nduration\r\nransome Shows Ransomware overlay on top of the device\r\nsettransperet\r\nrequests needed permissions on startup and closes itself immediately after,\r\nlogging the permission results.\r\ngetgmailmessage\r\nSets the “gm_mes_command” shared preference key to the value “start” and\r\nstarts the Gmail app\r\nrestart Restarts accessibility just like restart3 and restart 4\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 17 of 21\n\nremoveview\r\nRemoves the view with the black background that was added by the “addview”\r\ncommand\r\ngetvktitles Launches the VKontakte app\r\ncuttext Replaces the clipboard on the victim’s device with the payload text\r\naddcontact Adds a new contact to the victim’s device\r\ndelete_ransome Removes the ransomware overlay\r\nstartauthenticator2 Starts the Google Authenticator app\r\npatternp Places overlay for pattern\r\nstartapp Starts the app specified in the payload\r\nfpslimit Updates the stored image quality setting\r\nsendsmsall\r\nSends a specified SMS message to all contacts on the victim’s device. If the\r\nSMS message is too large, it will send the message in multiple parts\r\ngetimages Gets list of all images on the victim’s device\r\ngetcontacts Gets list of all contacts on the victim’s device\r\ntakencard Places card overlay on top of the screen\r\ntakephoto Takes a photo of the victim using the front facing camera\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 18 of 21\n\nswipedown Performs a swipe down gesture\r\nswipeleft Performs a swipe left gesture\r\nstop_hvnc Sets the running status of hvnc to false\r\nforwardcall\r\nSets up a call forwarder to forward all calls to the specified number in the\r\npayload\r\nstop_vnc Stops capturing the victims screen\r\nclickattext Clicks on the UI element with a specific text value\r\ndelete_nfc Removes the fake nfc overlay\r\nsafepal Starts the Safepal Wallet application\r\nsamourai Launches the Samourai Wallet app\r\nsendsms\r\nSend a specified SMS message to a specified number. If the SMS message is too\r\nlarge, it will send the message in multiple parts\r\nsettext Sets a specified UI element to the specified text\r\ngetphone Sends the device manufacturer and model to the server\r\nstart_vnc_socket\r\nimmediately starts the screen streaming activity with minimal setup, skipping\r\noverlays and wake locks. It’s designed for a quick, direct launch of the VNC\r\nsession.\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 19 of 21\n\nfmmanager\r\nEither lists the files at a specified path (additional parameter “ls”), or downloads\r\na file from the specified path (additional parameter “dl”)\r\nopenapp Opens a specified app\r\nopenurl Opens the specified URL\r\ngetsim Gets a sim operator and sends to server\r\ngetsms Steals all SMS messages\r\nstartinject Performs a phishing overlay attack against the given application\r\nheight\r\nSets the image height for the VNC stream based on the value received in the\r\npayload.\r\naddview Adds a new view with a black background that covers the entire screen\r\nflash_set\r\nAdjusts screen brightness to maximum if system write permission is granted;\r\notherwise logs and flags permission denial.\r\nkillme\r\nStores the package name of the malicious app in the “killApplication” shared\r\npreference key, in order to uninstall it.\r\ndelete_card Removed the card overlay\r\nonkeyevent\r\nPerforms a certain action depending on the specified key payload (POWER\r\nDIALOG, BACK, HOME, LOCK SCREEN, or RECENTS\r\nimagesize Sets the image size received from the server\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 20 of 21\n\nunlock_pin\r\nRemotely unlocks the device by simulating swipe, PIN entry, and confirmation\r\ntaps using AccessibilityService and wake lock control\r\nunlock Unlocks device\r\naddwaitview\r\nDisplays a “wait / loading” view with a progress bar, custom background colour,\r\ntext colour, and text to be displayed\r\ngmailtitle\r\nSets the “gm_list” shared preference key to the value “start” and starts the\r\nGmail app\r\nclearcache\r\nSets the “autoClickCache” shared preference key to value 1, and launches the\r\n“Application Details” setting for the specified app\r\nSource: https://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nhttps://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://zimperium.com/blog/hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities"
	],
	"report_names": [
		"hook-version-3-the-banking-trojan-with-the-most-advanced-capabilities"
	],
	"threat_actors": [],
	"ts_created_at": 1775434932,
	"ts_updated_at": 1775791204,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7818ef59de29da9459e54601d50bfe2a6f0fa5a1.pdf",
		"text": "https://archive.orkl.eu/7818ef59de29da9459e54601d50bfe2a6f0fa5a1.txt",
		"img": "https://archive.orkl.eu/7818ef59de29da9459e54601d50bfe2a6f0fa5a1.jpg"
	}
}