Cybersecurity researchers disclosed details of a new Android remote access trojan (RAT) called Fantasy Hub, and the malware’s seller advertises it on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model.
According to its seller, the malware enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos, as well as intercept, reply, and delete incoming notifications.
“It’s a MaaS product with seller documentation, videos, and a bot-driven subscription model that helps novice attackers by providing a low barrier to entry,” Zimperium researcher Vishnu Pratapagiri said in a report last week.
“Because it targets financial workflows (fake windows for banks) and abuses the SMS handler role (for intercepting 2-factor SMS), it poses a direct threat to enterprise customers using BYOD and to any organization whose employees rely on mobile banking or sensitive mobile apps.”
In their advertisement for Fantasy Hub, the threat actor refers to victims as “mammoths,” a term that Telegram-based cybercriminals operating out of Russia often use.
Moreover, the e-crime solution provides customers with instructions on how to create fake Google Play Store landing pages for distribution and the steps required to bypass restrictions. Consequently, prospective buyers can choose the icon, name, and page they wish to receive to produce a slick-looking landing page.
The bot manages paid subscriptions and builder access, and it also lets threat actors upload any APK file to the service and return a trojanized version that contains the malicious payload. The service targets individual users (one active session) and costs $200 weekly or $500 per month; alternatively, buyers can opt for a yearly subscription priced at $4,500.
The malware’s command-and-control (C2) panel shows details about compromised devices and displays information about the subscription status itself. In addition, the panel enables attackers to issue commands that collect various kinds of data.
“Sellers instruct buyers to create a bot, capture the chat ID, and configure tokens to route general and high-priority alerts to separate chats,” Zimperium said. “This design closely mirrors HyperRat, an Android RAT that was detailed last month.”
The Malware
Regarding capabilities, the malware abuses default SMS privileges like ClayRAT to access SMS messages, contacts, camera, and files. By prompting users to set it as the default SMS handling app, the malware obtains multiple powerful permissions at once rather than asking for individual permissions at runtime.
The dropper apps masquerade as a Google Play update to lend the operation a veneer of legitimacy and to trick users into granting the necessary permissions. In addition to using fake overlays to capture banking credentials associated with Russian financial institutions such as Alfa, PSB, T-Bank, and Sberbank, the spyware relies on an open-source project to stream camera and microphone content in real time over WebRTC.
“The rapid rise of Malware-as-a-Service (MaaS) operations like Fantasy Hub shows how easily attackers can weaponize legitimate Android components to achieve full device compromise,” Pratapagiri said. “Unlike older banking trojans that rely solely on overlays, Fantasy Hub integrates native droppers, WebRTC-based live streaming, and abuse of the SMS handler role to exfiltrate data and impersonate legitimate apps in real time.”
Zscaler ThreatLabz revealed that Android malware transactions increased by 67% year-over-year, and the company reported 239 malicious applications on the Google Play Store that users downloaded 42 million times collectively between June 2024 and May 2025.
Researchers observed several noteworthy Android malware families during that period, including Anatsa (aka TeaBot and Toddler), Void (aka Vo1d), and a previously unseen Android RAT dubbed Xnotice, which targeted job seekers in the oil and gas sector across the Middle East and North Africa by masquerading as job-application apps distributed via fake employment portals.
Once attackers install these malicious apps, they steal banking credentials through overlays and collect other sensitive data such as multi-factor authentication (MFA) codes, SMS messages, and screenshots.
“Threat actors deploy sophisticated banking trojans like Anatsa, ERMAC, and TrickMo, which often masquerade as legitimate utilities or productivity apps on both official and third-party app stores,” the company said. “Once installed, they use highly deceptive techniques to capture usernames, passwords, and even the two-factor authentication (2FA) codes needed to authorize transactions.”
More Malwares in Android
CERT Polska also issued an advisory about new Android malware samples called NGate (aka NFSkate) that target Polish bank users and aim to plunder card details via Near Field Communication (NFC) relay attacks. Attackers distribute links to the malicious apps through phishing emails or SMS messages that impersonate bank alerts and warn recipients of a technical problem or a security incident, thereby tricking them into installing the app.
When victims launch the malicious app, the app prompts them to verify their payment card directly within the app by tapping it on the back of the Android device. However, that action lets the app stealthily capture the card’s NFC data and exfiltrate it to an attacker-controlled server or directly to a companion app the threat actor installs to withdraw cash from an ATM.
“The campaign is designed to enable unauthorized cash withdrawals at ATMs using victims’ own payment cards,” the agency said. “Criminals don’t physically steal the card; they relay the card’s NFC traffic from the victim’s Android phone to a device the attacker controls at an ATM.”
Source: TheHackerNews
Read more at Impreza News
