Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

HOOK Android banking trojan adds ransomware overlay and 107 commands

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

The HOOK Android banking trojan now adds a full-screen ransomware overlay, increasing extortion risk and expanding its Android fraud capability. The new variant supports 107 remote commands, including overlays for fake NFC, unlock PIN/pattern collection, and credit card harvesting. It is being spread at scale through phishing websites and bogus GitHub repositories that host malicious APK files.

Related Happenings

Trust Wallet hit by network compromise

Incident
First: 02.01.2026 16:19 Last: 02.01.2026 16:19 Sources 1

About this happening: **Trust Wallet** said its **Chrome extension** was likely compromised through the **second iteration of Shai-Hulud** in **November 2025**, exposing **GitHub secrets** and a **Chro...

Open Happening

Shai-Hulud Chrome extension trojanized backdoor with wallet mnemonic theft

Malware Activity
First: 31.12.2025 18:29 Last: 31.12.2025 18:29 Sources 1

About this happening: The **Shai-Hulud** supply-chain operation delivered a trojanized **Google Chrome extension** build with a backdoor that could steal **wallet mnemonic phrases**, creating a direct...

Open Happening

DocSwap Android malware variant with encrypted APK loading and RAT capabilities

Malware Activity
First: 18.12.2025 09:43 Last: 18.12.2025 09:43 Sources 1

About this happening: A new **DocSwap** Android malware variant now uses **encrypted APK loading** to gain **RAT capabilities** on Android devices. Victims are lured through **QR-code phishing** and fa...

Open Happening

Albiriox Android malware activity

Malware Activity
First: 01.12.2025 18:30 Last: 01.12.2025 18:30 Sources 1

About this happening: **Albiriox** is an **Android malware** family now being sold as **Malware-as-a-Service**, and it matters because it enables **remote device takeover** and **real-time fraud** agai...

Open Happening

Sturnus Android banking trojan with credential theft and device takeover

Malware Activity
First: 20.11.2025 13:04 Last: 20.11.2025 13:04 Sources 1

About this happening: A new **Android banking trojan** called **Sturnus** has been disclosed with **credential theft** and **full device takeover** capabilities, raising fraud risk for mobile banking u...

Open Happening

Timeline

  1. 26.08.2025 12:01 1 articles · 9mo ago

    HOOK Android banking trojan adds ransomware overlays and 107 commands

    Initial Disclosure

    Zimperium identified a new HOOK Android banking trojan variant that can deploy a full-screen ransomware overlay to coerce victims into paying, with the overlay triggered by the C2 command "ransome" and removable with "delete_ransome". The sample is assessed as an offshoot of ERMAC, supports 107 remote commands with 38 newly added ones, and is distributed through phishing websites and bogus GitHub repositories hosting malicious APK files.

    Show sources
    Open in new tab