On 25 August 2025, Zimperium’s zLabs disclosed the release of Hook Version 3, an Android banking trojan now boasting advanced ransomware-style overlays, deceptive NFC prompts, lockscreen spoofing, transparent gesture capture, and live screen-streaming – raising the stakes for CISOs, SOC leads, and regulators everywhere
- On 25 August 2025, Zimperium’s zLabs published its findings on Hook Version 3, detailing its newly added capabilities and expanded command set.
- Hook is a banking trojan rooted in the ERMAC malware lineage, originally surfaced in earlier versions and developed as an evolution with over 38 additional remote commands compared to ERMAC.
- This latest variant introduces 107 remote commands, including ransomware overlays, fake NFC overlays, deceptive PIN/pattern lockscreens, transparent gesture capturing, and stealthy screen-streaming-marking it among the most sophisticated Android banking trojans to date.
New Capabilities & Technical Arsenal
Hook Version 3 radically expands on prior functionality:
| Feature | Description |
|---|---|
| Ransomware-style overlays | Full-screen overlays delivering extortion messages with dynamic wallet and amount via C2 triggers |
| Fake NFC overlays | Deceptive overlays mimicking NFC scanning to lure victims into revealing data |
| Login spoof & lockscreen bypass | Fake PIN/pattern UI overlays to steal device credentials |
| Transparent gesture capture | Captures user gestures invisibly via overlay |
| Stealthy screen-streaming | Real-time screen streaming to attacker-controlled endpoints |
Total commands executed via Accessibility Services now number 107, including all previously known plus 38 new ones, enabling extensive device manipulation and data theft.
Distribution & Defensive Response
- Zimperium noted that the malware is likely being spread at scale via phishing websites and GitHub-hosted APKs, mirroring contemporary trends of abusing trusted platforms for distribution.
- Zimperium’s Mobile Threat Defense (MTD) and zDefend solutions offer on-device detection-even for sideloaded threats-and have supported takedown actions against malicious GitHub repositories.
Expert Perspectives
“Hook Version 3 represents a convergence of ransomware, spyware, and banking malware, blurring threat boundaries and demanding elevated defensive postures,” said Fernando Ortega, Senior Security Researcher at Zimperium zLabs (SourceSecurity, Zimperium).
“Organizations must deploy real-time, on-device behavior-based security — especially when overlay-based and screen-streaming techniques are now being weaponized,” stressed Kern Smith, VP of Solutions Engineering at Zimperium (Security Journal UK, Zimperium).
MEA & Global Context
- While no regional impact data for the Middle East and Africa (MEA) was confirmed, the trojan’s global rise underscores heightened risk for the region, particularly where mobile banking adoption is surging.
- Regional policymakers and regulators may need to consider stricter app-store vetting and public-awareness campaigns to combat sideloaded and overlay-based threats.
- Globally, banking malware is trending toward MaaS models, screen-sharing, real-time overlays, and social engineering via platforms like Discord or GitHub, as seen across families like DoubleTrouble and GodFather.
MITRE ATT&CK Mapping & IOCs (Optional)
No new MITRE ATT&CK mappings or IOCs were published in the source beyond the summary provided; thus they are not included to avoid inaccuracy.
Actionable Takeaways
- Enable on-device, behavior-based mobile defense (e.g., Zimperium’s MTD, zDefend) to counter overlay misuse and real-time screen capture.
- Block sideloading and restrict Accessibility Services, especially on enterprise-issued devices.
- Monitor GitHub and phishing channels for trojan distribution trends and promptly report takedown requests.
- Educate users and staff on dangers of unknown APKs, suspicious overlays, and requests to enter credentials.
- Deploy app-layer integrity checks and runtime protection SDKs to detect overlay injections.
- Conduct red-team exercises simulating overlay and screen-streaming attacks to evaluate defenses.
- Collaborate with regulators and industry peers for coordinated threat intelligence sharing and proactive messaging.
- Audit mobile device management (MDM) policies to prevent unauthorized app installations and enforce secure configurations.
Conclusion
Hook Version 3 elevates mobile banking threats with ransomware overlays, gesture capture, NFC deception, and live streaming-blending multiple attack paradigms into a single, potent threat. Enterprises, especially in finance and critical infrastructure, must adopt real-time, on-device defenses, limit high-risk permissions, and foster regional collaboration to stay ahead of this evolving danger. Future versions may only grow more advanced-preparedness is imperative.
Sources
- Zimperium zLabs research — Hook Version 3 blog post, 25 August 2025 (Zimperium)
- GodFather trojan research by Zimperium, 10 July 2025 (SourceSecurity)
- DoubleTrouble trojan analysis via Discord, 31 July 2025 (Infosecurity Magazine, Financial IT)
- Zimperium’s 2023 Banking Heists Report, 14 December 2023 (Zimperium, Financial IT)
- Hook origin from ERMAC lineage, September 2023 (The Hacker News)
