Security researchers at Zimperium have uncovered a sophisticated Android Remote Access Trojan (RAT) called “Fantasy Hub,” distributed through Russian-language cybercriminal channels as a Malware-as-a-Service (MaaS) subscription offering.
The malware poses a significant threat to enterprise users and organizations that employ bring-your-own-device (BYOD) policies, as it combines advanced evasion techniques with comprehensive device espionage capabilities targeting financial institutions.
Fantasy Hub operates through a well-established criminal infrastructure, with operators advertising the malware’s capabilities on Telegram alongside a subscription-based bot that manages access and provides a dropper service.
Threat actors can upload their own Android applications (APKs), and the service returns repackaged versions with the Fantasy Hub payload embedded.
The subscription model dramatically lowers the barrier to entry for less-sophisticated attackers, enabling widespread deployment across multiple targets.
Advanced Evasion and Exploitation Techniques
The malware employs a native dropper embedded in the metamask_loader library, which decrypts the metadata.dat asset using a custom XOR routine with a fixed 36-byte key pattern.
After decryption, gzip decompression reveals the payload, which is executed at runtime to reduce static indicators that antivirus solutions typically detect.
A hazardous feature involves the abuse of SMS handler privileges. By acquiring the SMS handler role, Fantasy Hub gains unified access to multiple powerful permissions, including contacts, camera, and file access, without requiring individual user approvals for each capability.
This technique mirrors the ClayRat Android spyware but extends exploitation further. The malware masquerades as a Google Play Update to reduce user suspicion while requesting default SMS permissions, and recent samples incorporate root-detection and installation-environment checks to evade dynamic analysis tools.
The malware leverages WebRTC for live audio and video streaming to command-and-control servers via silent connections. While streaming, a discrete “Live stream active” message appears, maintaining camera and microphone access until the connection terminates.
The necessary WebRTC libraries are downloaded directly from the C2 infrastructure on demand.
Financial Targeting and Distribution Strategy
Fantasy Hub’s developers have specifically configured phishing functionality targeting major Russian financial institutions, including Alfa, PSB, Tbank, and Sber.
The malware creates fake banking application windows via activity-alias entries, generating multiple launcher icons that point to a single compromised component.
When activated, these icons display permissive WebView instances containing phishing pages with JavaScript bridges, enabling credential theft.
The seller provides comprehensive documentation, including instructional videos demonstrating how to create customized banking windows with tailored PIN, password, and card details fields.
Distribution occurs through fraudulent Google Play Store pages meticulously crafted to appear legitimate. Threat actors follow seller-provided instructions to clone popular applications like Telegram, complete with fabricated reviews designed to deceive casual users.
The malware’s ability to intercept, reply to, and delete SMS messages poses a direct threat to two-factor authentication mechanisms.
Fantasy Hub exemplifies the evolving MaaS landscape, combining social engineering sophistication with deep system-level control.
Organizations must implement advanced mobile threat defense solutions providing on-device behavioral detection to identify and mitigate Fantasy Hub and similar dropper variants before they compromise sensitive data or financial credentials.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.){kind=link}