Russian-based threat actors are distributing a sophisticated Android Remote Access Trojan through underground channels, offering it as a subscription service to other criminals.
The malware, identified as Fantasy Hub, enables attackers to conduct widespread surveillance operations on compromised mobile devices, stealing sensitive communications and personal information from unsuspecting users.
The spyware’s capabilities extend far beyond basic data theft, providing attackers with tools to intercept two-factor authentication messages, access banking credentials, and perform real-time device monitoring.
Fantasy Hub operates under a Malware-as-a-Service model, significantly lowering the technical barriers for attackers with minimal expertise.
Threat actors advertise the malware on Russian-language channels and include links to a Telegram bot that manages subscriptions and provides access to the malware builder.
.webp "New Android Malware ‘Fantasy Hub’ Intercepts SMS Messages, Contacts and Call Logs 2")
The attackers refer to compromised devices and their owners as “mammoths,” drawing users into a sophisticated social engineering ecosystem that combines phishing techniques with technical sophistication.
Attackers receive complete documentation, including video tutorials, on deploying the malware and bypassing security restrictions.
Zimperium security researchers identified Fantasy Hub’s sophisticated infrastructure, which includes a Russian-language command and control panel and comprehensive operational guides for attackers.
The malware’s targeting strategy specifically focuses on financial institutions such as Alfa, PSB, Tbank, and Sber, where operators deploy fake login windows to capture banking credentials.
This financial focus underscores the serious threat posed to enterprise environments where employees use mobile banking or sensitive applications on personal devices.
Technical Evasion Mechanisms
Fantasy Hub employs advanced detection evasion tactics to remain hidden from security analysis.
The malware utilizes a native dropper embedded within a metamask_loader library that decrypts an encrypted asset called metadata.dat during runtime.
.webp "New Android Malware ‘Fantasy Hub’ Intercepts SMS Messages, Contacts and Call Logs 4")
The decryption process relies on a custom XOR encryption routine using a fixed 36-byte key pattern, followed by gzip decompression through zlib.
This two-stage encryption approach significantly reduces static indicators that traditional antivirus solutions might detect.
The malware further leverages the SMS handler role abuse technique, similar to ClayRat spyware, consolidating multiple powerful permissions including contacts, camera, and file access into a single authorization step.
The dropper masquerades as a Google Play Update to lower user suspicion, while recent samples demonstrate root detection capabilities to evade dynamic analysis environments.
Additionally, Fantasy Hub integrates WebRTC for establishing live audio and video streaming channels, enabling real-time surveillance capabilities that significantly expand the attacker’s reconnaissance potential beyond traditional data exfiltration methods.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
