Cybersecurity researchers have revealed details of a new Android remote access Trojan (RAT) called Fantasy Hub that is marketed on Russian-speaking Telegram channels based on a Malware-as-a-Service (MaaS) model.
According to the seller, the malware allows control and espionage of the device, allowing attackers to collect SMS messages, contacts, call logs, images, and videos, as well as intercept, reply to, and delete incoming notifications.
“This is a MaaS product with seller documentation, videos, and a bot-driven subscription model that lowers the barrier to entry and helps novice attackers,” Zimperium researcher Vishnu Pratapagiri said in a report last week.
“Because it targets financial workflows (fake bank tellers) and abuses the role of SMS handlers (to intercept two-factor SMS), it poses a direct threat to enterprise customers using BYOD and organizations whose employees rely on mobile banking or sensitive mobile apps.”
The threat actor refers to his victims as “mammoths” in Fantasy Hub ads. This is a term often used by Telegram-based cybercriminals operating outside of Russia.
Electronic Crime Solutions customers will receive instructions on creating a fake Google Play Store landing page for distribution and steps to circumvent the restrictions. Potential buyers can choose the icon, name, and page appearance they want.
The bot, which manages paid subscriptions and access to builders, is designed to allow threat actors to upload arbitrary APK files to the service and return a trojanized version with a malicious payload. This service is available for $200 per week or $500 per month for one user (i.e., one active session). Users can also choose an annual subscription for $4,500.
The command and control (C2) panel associated with the malware displays details about the compromised device, as well as information about the subscription status itself. This panel also provides the attacker with the ability to issue commands to collect various types of data.
“The seller instructs the buyer to create a bot, obtain a chat ID, and configure a token that routes general and high-priority alerts to different chats,” Zimperium said. “This design closely mirrors HyperRat, the Android RAT detailed last month.”
This malware, like ClayRAT, abuses default SMS permissions to gain access to SMS messages, contacts, camera, and files. By asking users to set this as their default SMS processing app, malicious programs can gain multiple powerful permissions at once instead of requesting individual permissions at runtime.
Dropper apps have been found to disguise their legitimacy by masquerading as Google Play updates to trick users into granting the necessary permissions. In addition to using fake overlays to obtain bank credentials related to Russian financial institutions such as Alfa, PSB, T-Bank, and Sberbank, the spyware relies on open source projects to stream camera and microphone content in real-time via WebRTC.
“The rapid rise of Malware-as-a-Service (MaaS) operations like Fantasy Hub shows how easily attackers can weaponize legitimate Android components and compromise entire devices,” Pratapagiri said. “Unlike older banking Trojans that rely solely on overlays, Fantasy Hub integrates native droppers, WebRTC-based live streaming, and SMS handler role exploitation to steal data and impersonate legitimate apps in real-time.”
The disclosure comes after Zscaler ThreatLabz revealed that sophisticated spyware and banking trojans led to a 67% year-over-year increase in Android malware transactions. As many as 239 malicious applications were reported in the Google Play Store, and these applications were downloaded a total of 42 million times between June 2024 and May 2025.
Notable Android malware families observed during this period included Anatsa (also known as TeaBot and Toddler), Void (also known as Vo1d), and an unprecedented Android RAT called Xnotice that targeted job seekers in the oil and gas sector in the Middle East and North Africa region under the guise of job search apps distributed via fake employment portals.
Once installed, the malware steals banking credentials through an overlay and collects other sensitive data such as multi-factor authentication (MFA) codes, SMS messages, and screenshots.
“Threat actors often deploy sophisticated banking Trojans, such as Anatsa, ERMAC, and TrickMo, in both official and third-party app stores disguised as legitimate utilities and productivity apps,” the company said. “Once installed, they use highly deceptive techniques to capture usernames, passwords, and even two-factor authentication (2FA) codes needed to authorize transactions.”
This finding also follows CERT Polska’s advisory regarding a new sample of Android malware called NGate (also known as NFSkate) that targets users of Polish banks and steals card information via near-field communication (NFC) relay attacks. Links to malicious apps are distributed through phishing emails and SMS messages purporting to come from banks, warning recipients about technical issues or security incidents, and enticing them to install the app.
Upon launching the affected app, victims are asked to confirm their payment card directly within the app by tapping the payment card on the back of their Android device. However, by doing this, the app secretly captures the card’s NFC data and leaks it either to an attacker-controlled server or directly to a companion app installed by the attacker who wants to withdraw cash from the ATM.
“This campaign aims to allow victims to fraudulently withdraw cash from ATMs using their own payment cards,” the agency said. “Rather than physically stealing the card, the criminal relays the card’s NFC traffic from the victim’s Android phone to a device the attacker controls at the ATM.”
Source link
