- Hook V3 uses false overlap of Google Pay to deceive victims to deliver confidential card data
- Real -time screen transmission allows attackers to directly spy on the victims
- Github Anfitren Apks repositories Malicious, spreading more widely advanced malware
Hook V3, the latest variant of Trojan’s malware Android Bankan Hook of long duration, presents an unusually wide range of capabilities, experts have warned.
Zimperium Zlabs researchers claim that malware now admits 107 remote commands, with 38 added in the last update, and continues to exploit Android accessibility services.
Its expanded functionality suggests a change of narrow bank fraud to a more versatile threat platform, which potentially puts many more victims at risk.
Ransomware and deceptive indications
In their report, researchers describe how Hook V3 can steal personal data, kidnap user sessions and avoid device defenses.
“Hook V3 blurs the line between bank Trojans, Spyware and Ransomware,” said Nico Chiaraviglio, head scientist of Zimperium.
“Its rapid evolution and distribution on a large scale raise the threat to financial institutions, companies and mobile users worldwide. This discovery reinforces the urgent need for proactive defenses on the device.”
One of the defining additions is the use of ransomware -style overlaps. Victims can find full screen warnings that demand payment, a tactic more commonly associated with desktop ransomware.
Such attacks highlight the need for stronger ransomware in mobile devices, a traditionally less emphasized area.
Hook V3 also uses false unlocking screens that mimic the legitimate indications of pin or pattern.
Once users enter their details, the attackers get credentials to avoid blocking screens. This combination of overlap and remote commands makes malware especially intrusive.
The Trojan now also incorporates fake NFC scanning screens and falsified payment card overlaps.
These are designed to imitate legitimate services such as Google Pay, increasing the probability that unsuspecting users enter confidential data.
Transparent overlays in silence register gestures, while real -time transmission allows attackers to see the device activity as it happens.
When combining passive theft with active monitoring, Hook V3 demonstrates an intrusion layers.
Although it does not directly launch the distributed attacks of denial of service, its broad set of commands reflects the same type of versatility that motivates the investment in DDOS protection within the broader cyber security strategies.
Hook V3 extends through Phishing websites, but malicious APKs have also openly stayed in Github, which means that attackers use widely reliable platforms to distribute malware.
That said, Hook still seems to be in development, with code fragments that refer to Rabbitmq and Telegram.
Although there are limited telegram use signs to send injection data, the absence of chat or tokens bot identifications suggests that these functions remain unfinished.
