Mobile security firm Zimperium has issued an alert about a dangerous evolution in mobile malware. Its zLabs research team discovered a new variant of the Hook banking trojan, dubbed Hook Version 3, which goes far beyond stealing banking credentials. The malware now combines features of ransomware, spyware, and traditional bank-hacking tools, giving attackers sweeping control over infected Android devices.

The latest version supports 107 remote commands, including 38 new additions, allowing criminals to perform actions such as locking a victim’s screen with ransom demands, live-streaming device activity, and deploying fake overlays to steal PINs, payment details, and login credentials. By exploiting Android’s Accessibility Services, Hook can automate malicious tasks and even mimic legitimate apps, tricking users into handing over sensitive information. Researchers also note signs of ongoing development, with attackers preparing to add capabilities like fake NFC prompts and enhanced communication channels.

Distribution methods are also evolving. While Hook continues to spread via fraudulent websites, Zimperium’s report highlights that hackers are increasingly using public platforms like GitHub to host and share malicious files, making large-scale distribution easier. With developers actively expanding its features, Hook represents a growing risk not only to individuals but also to financial institutions and enterprises. Zimperium warns that the rise of such hybrid malware underscores the urgent need for stronger mobile security measures.