A newly identified threat to Android users dubbed “Fantasy Hub” is spreading, according to research from the security firm Zimperium.
Sold on Russian-speaking channels, the toolkit is distributed in a Malware-as-a-Service (MaaS) offering, providing full remote access capabilities and enabling attackers with minimal technical expertise to deploy sophisticated espionage and bank login theft campaigns.
The malware is being marketed with seller documentation, video tutorials, Telegram-bots for subscription management, and instructions to help attackers embed their fake apps in official-looking storefronts, including counterfeit Google Play pages.
Fantasy Hub has already been observed targeting major Russian banks, including Alfa, PSB, Tbank and Sber.
Zimperium’s analysis shows Fantasy Hub offers a broad suite of malicious features including exfiltration of SMS messages, contacts, call logs, and images/videos. It can reply to notifications and delete them, stream audio and video via WebRTC, and drop disguised payloads that masquerade as system updates for installation stealth.
In these campaigns, the malware uses fake application windows or overlays that mimic authentic banking apps to phish for credentials and card data. The seller also provides video instructions showing how to customize fake app windows with PIN/password fields for more convincing credential harvesting.
Because it abuses default SMS handler permissions, it can intercept two-factor authentication messages, ensure persistence, and compromise entire devices. For enterprises and mobile banking consumers, Zimperium says the new malware means that the risk of mobile devices being an attack vector for credential theft has significantly increased.
Follow us on X, Facebook and Telegram
Don't Miss a Beat – Subscribe to get email alerts delivered directly to your inbox
Check Price Action
Surf The Daily Hodl Mix
Generated Image: Midjourney