Cybersecurity researchers have disclosed details of a new Android remote access trojan (RAT) called Fantasy Hub that’s sold on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model.
According to its seller, the malware enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos, as well as intercept, reply, and delete incoming notifications.
“It’s a MaaS product with seller documentation, videos, and a bot-driven subscription model that helps novice attackers by providing a low barrier to entry,” Zimperium researcher Vishnu Pratapagiri said in a report last week.
“Because it targets financial workflows (fake windows for banks) and abuses the SMS handler role (for intercepting 2-factor SMS), it poses a direct threat to enterprise customers using BYOD and to any organization whose employees rely on mobile banking or sensitive mobile apps.”
The threat actor, in their advertisement for Fantasy Hub, refers to victims as “mammoths,” a term often used by Telegram-based cybercriminals operating out of Russia.
Customers of the e-crime solution receive instructions related to creating fake Google Play Store landing pages for distribution, as well as the steps to bypass restrictions. Prospective buyers can choose the icon, name, and page they wish to receive a slick-looking page.
The bot, which manages paid subscriptions and builder access, is also designed to let threat actors upload any APK file to the service and return a trojanized version with the malicious payload embedded into it. The service is available for one user (i.e., one active session) for a weekly price of $200 or for $500 per month. Users can also opt for a yearly subscription that costs $4,500.
The command-and-control (C2) panel associated with the malware provides details about the compromised devices, along with information about the subscription status itself. The panel also offers the attackers the ability to issue commands to collect various kinds of data.
“Sellers instruct buyers to create a bot, capture the chat ID, and configure tokens to route general and high-priority alerts to separate chats,” Zimperium said. “This design closely mirrors HyperRat, an Android RAT that was detailed last month.”
As for the malware, it abuses the default SMS privileges like ClayRAT to obtain access to SMS messages, contacts, camera, and files. By prompting the user to set it as the default SMS handling app, it allows the malicious program to obtain multiple powerful permissions in one go rather than having to ask for individual permissions at runtime.
The dropper apps have been found to masquerade as a Google Play update to lend it a veneer of legitimacy and trick users into granting it the necessary permissions. Besides using fake overlays to obtain banking credentials associated with Russian financial institutions such as Alfa, PSB, T-Bank, and Sberbank, the spyware relies on an open-source project to stream camera and microphone content in real-time over WebRTC.
“The rapid rise of Malware-as-a-Service (MaaS) operations like Fantasy Hub shows how easily attackers can weaponize legitimate Android components to achieve full device compromise,” Pratapagiri said. “Unlike older banking trojans that rely solely on overlays, Fantasy Hub integrates native droppers, WebRTC-based live streaming, and abuse of the SMS handler role to exfiltrate data and impersonate legitimate apps in real time.”
The disclosure comes as Zscaler ThreatLabz revealed that Android malware transactions increased by 67% year-over-year, driven by sophisticated spyware and banking trojans. As many as 239 malicious applications have been flagged on the Google Play Store, with the apps being downloaded 42 million times collectively between June 2024 and May 2025.
Some of the noteworthy Android malware families observed during the time period were Anatsa (aka TeaBot and Toddler), Void (aka Vo1d), and a never-before-seen Android RAT dubbed Xnotice that has targeted job seekers in the oil and gas sector in the Middle East and North African regions by passing off as job application apps distributed via fake employment portals.
Once installed, the malware steals banking credentials through overlays, and collects other sensitive data like multi-factor authentication (MFA) codes, SMS messages, and screenshots.
“Threat actors deploy sophisticated banking trojans like Anatsa, ERMAC, and TrickMo, which often masquerade as legitimate utilities or productivity apps on both official and third-party app stores,” the company said. “Once installed, they use highly deceptive techniques to capture usernames, passwords, and even the two-factor authentication (2FA) codes needed to authorize transactions.”
The findings also follow an advisory from CERT Polska about new samples of Android malware called NGate (aka NFSkate) targeting users of Polish banks to plunder card details via Near Field Communication (NFC) relay attacks. Links to the malicious apps are distributed via phishing emails or SMS messages that purport to come from the banks and warn recipients of a technical problem or a security incident, thereby nudging them into installing the app.
Upon launching the app in question, the victim is prompted to verify their payment card directly within the app by tapping it on the back of the Android device. However, doing so causes the app to stealthily capture the card’s NFC data and exfiltrate it to an attacker-controlled server, or directly to a companion app installed by the threat actor who wants to withdraw cash from an ATM.
“The campaign is designed to enable unauthorized cash withdrawals at ATMs using victims’ own payment cards,” the agency said. “Criminals don’t physically steal the card; they relay the card’s NFC traffic from the victim’s Android phone to a device the attacker controls at an ATM.”
