Cybersecurity researchers have disclosed particulars of a brand new Android distant entry trojan (RAT) referred to as Fantasy Hub that is bought on Russian-speaking Telegram channels beneath a Malware-as-a-Service (MaaS) mannequin.
Based on its vendor, the malware permits machine management and espionage, permitting risk actors to gather SMS messages, contacts, name logs, pictures, and movies, in addition to intercept, reply, and delete incoming notifications.
“It is a MaaS product with vendor documentation, movies, and a bot-driven subscription mannequin that helps novice attackers by offering a low barrier to entry,” Zimperium researcher Vishnu Pratapagiri stated in a report final week.
“As a result of it targets monetary workflows (pretend home windows for banks) and abuses the SMS handler position (for intercepting 2-factor SMS), it poses a direct risk to enterprise prospects utilizing BYOD and to any group whose staff depend on cell banking or delicate cell apps.”
The risk actor, of their commercial for Fantasy Hub, refers to victims as “mammoths,” a time period usually utilized by Telegram-based cybercriminals working out of Russia.
Prospects of the e-crime resolution obtain directions associated to creating pretend Google Play Retailer touchdown pages for distribution, in addition to the steps to bypass restrictions. Potential patrons can select the icon, identify, and web page they want to obtain a slick-looking web page.
The bot, which manages paid subscriptions and builder entry, can also be designed to let risk actors add any APK file to the service and return a trojanized model with the malicious payload embedded into it. The service is obtainable for one consumer (i.e., one lively session) for a weekly value of $200 or for $500 per 30 days. Customers can even go for a yearly subscription that prices $4,500.
The command-and-control (C2) panel related to the malware offers particulars in regards to the compromised units, together with details about the subscription standing itself. The panel additionally provides the attackers the power to problem instructions to gather numerous varieties of knowledge.
“Sellers instruct patrons to create a bot, seize the chat ID, and configure tokens to route common and high-priority alerts to separate chats,” Zimperium stated. “This design intently mirrors HyperRat, an Android RAT that was detailed final month.”
As for the malware, it abuses the default SMS privileges like ClayRAT to acquire entry to SMS messages, contacts, digital camera, and recordsdata. By prompting the consumer to set it because the default SMS dealing with app, it permits the computer virus to acquire a number of highly effective permissions in a single go moderately than having to ask for particular person permissions at runtime.
The dropper apps have been discovered to masquerade as a Google Play replace to lend it a veneer of legitimacy and trick customers into granting it the mandatory permissions. Moreover utilizing pretend overlays to acquire banking credentials related to Russian monetary establishments comparable to Alfa, PSB, T-Financial institution, and Sberbank, the spyware and adware depends on an open-source venture to stream digital camera and microphone content material in real-time over WebRTC.
“The speedy rise of Malware-as-a-Service (MaaS) operations like Fantasy Hub exhibits how simply attackers can weaponize legit Android parts to attain full machine compromise,” Pratapagiri stated. “In contrast to older banking trojans that rely solely on overlays, Fantasy Hub integrates native droppers, WebRTC-based stay streaming, and abuse of the SMS handler position to exfiltrate information and impersonate legit apps in actual time.”
The disclosure comes as Zscaler ThreatLabz revealed that Android malware transactions elevated by 67% year-over-year, pushed by subtle spyware and adware and banking trojans. As many as 239 malicious purposes have been flagged on the Google Play Retailer, with the apps being downloaded 42 million occasions collectively between June 2024 and Might 2025.
A number of the noteworthy Android malware households noticed in the course of the time interval had been Anatsa (aka TeaBot and Toddler), Void (aka Vo1d), and a never-before-seen Android RAT dubbed Xnotice that has focused job seekers within the oil and fuel sector within the Center East and North African areas by passing off as job utility apps distributed by way of pretend employment portals.
As soon as put in, the malware steals banking credentials by way of overlays, and collects different delicate information like multi-factor authentication (MFA) codes, SMS messages, and screenshots.
“Menace actors deploy subtle banking trojans like Anatsa, ERMAC, and TrickMo, which frequently masquerade as legit utilities or productiveness apps on each official and third-party app shops,” the corporate stated. “As soon as put in, they use extremely misleading strategies to seize usernames, passwords, and even the two-factor authentication (2FA) codes wanted to authorize transactions.”
The findings additionally observe an advisory from CERT Polska about new samples of Android malware referred to as NGate (aka NFSkate) concentrating on customers of Polish banks to plunder card particulars by way of Close to Discipline Communication (NFC) relay assaults. Hyperlinks to the malicious apps are distributed by way of phishing emails or SMS messages that purport to return from the banks and warn recipients of a technical downside or a safety incident, thereby nudging them into putting in the app.
Upon launching the app in query, the sufferer is prompted to confirm their fee card immediately inside the app by tapping it on the again of the Android machine. Nonetheless, doing so causes the app to stealthily seize the cardboard’s NFC information and exfiltrate it to an attacker-controlled server, or on to a companion app put in by the risk actor who desires to withdraw money from an ATM.
“The marketing campaign is designed to allow unauthorized money withdrawals at ATMs utilizing victims’ personal fee playing cards,” the company stated. “Criminals do not bodily steal the cardboard; they relay the cardboard’s NFC site visitors from the sufferer’s Android cellphone to a tool the attacker controls at an ATM.”
