Malware-as-a-Service Model Lowers Barriers for Attackers
Cybersecurity researchers have announced a new Android Remote Access Trojan (RAT) called Fantasy Hub, which is being distributed as a subscription service to criminals. It is being sold on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model. This model allows it to lower the technical barriers for attackers with minimal expertise.
According to reports, Fantasy Hub turns any app into spyware, pretends to be a Google Play Store update, hijacks SMS messages to steal two-factor authentication (2FA) codes, and streams camera and microphone feeds in real-time via WebRTC. The spyware gives hackers the ability to read 2FA messages, gain access to bank accounts, and watch devices in real time.
Fantasy Hub Facilitates Creation of Fake Google Play Store Pages
According to its seller, the malware enables device control and espionage, granting threat actors access to SMS messages, contacts, call logs, images, and videos. It also allows for the interception, reply, and deletion of incoming alerts. The malware exploits default SMS privileges, similar to ClayRAT, to gain access to sensitive data and device functions. By prompting the user to set it as the default SMS handling app, the malicious program can obtain multiple powerful permissions simultaneously, rather than having to request them individually at runtime.
Criminals who subscribe to this e-crime solution receive instructions on how to create fake Google Play Store landing pages for distribution and guidance on bypassing restrictions. Prospective buyers can customize the icon, name, and page to create a sophisticated-looking fake store. The service handles paid subscriptions and builder access. It is designed so that threat actors can upload any APK file to the service and receive a trojanized version with the malware integrated. The service is available for a weekly price of $200, a monthly price of $500, or an annual subscription costing $4,500.
The command-and-control (C2) panel associated with the malware provides detailed information about compromised devices and subscription statuses. It also allows attackers to issue commands for data collection.
Targeting Mobile Banking Users and Sophisticated Attack Methods
The dropper apps have been observed acting as legitimate Google Play updates, thereby gaining user trust and tricking them into granting necessary permissions. Subsequently, it employs fake overlays to steal banking credentials associated with Russian financial institutions, including Alfa, PSB, T-Bank, and Sberbank. Fantasy Hub integrates native droppers, WebRTC-based live streaming, and exploits the SMS handler role to steal data and impersonate legitimate applications in real-time.
According to Zimperium researcher Vishnu Pratapagiri, this spyware poses a direct threat to enterprise customers utilizing Bring Your Own Device (BYOD) policies. Organizations whose employees rely on mobile banking or sensitive mobile applications are particularly at risk.
This development follows Zscaler ThreatLabz's revelation that threat actors are employing sophisticated banking trojans, such as Anatsa, ERMAC, and TrickMo. These malicious applications often masquerade as genuine utilities or productivity apps, appearing in both official and third-party app stores. Once installed, they utilize stealthy methods to acquire usernames, passwords, and two-factor authentication (2FA) codes necessary for transaction completion.
Furthermore, CERT Polska has issued warnings about new instances of Android malware named NGate, which attempts to steal card information from Polish bank users through Near Field Communication (NFC) relay attacks. When a victim opens the targeted app, they are prompted to authenticate their payment card by tapping it on the back of their Android device. The app then discreetly collects the card’s NFC data and transmits it to an attacker-controlled server or directly to a companion app installed by a threat actor aiming to withdraw cash from an ATM.
Reports indicate that transactions involving Android malware have increased by 67% annually, driven by advanced spyware and banking trojans. Approximately 239 malicious apps have been identified on the Google Play Store, with these apps accumulating a total of 42 million downloads between June 2024 and May 2025.