Threat Research

Android Bankers: 4 Campaigns In A Row

Zimperium
zLabs identified a surge in Android banking trojan activity across four distinct campaigns—RecruitRat, SaferRat, Astrinox, and Massiv—targeting over 800 banking, cryptocurrency, and social media applications using sophisticated C2 frameworks and multi-stage payloads. These families employ APK structural tampering, encrypted payloads, Accessibility and MediaProjection abuses, overlay attacks, and environment-aware checks to steal credentials, intercept 2FA, exfiltrate screens, and maintain persistence. #RecruitRat #Astrinox

Keypoints

  • Zimperium zLabs tracked four active Android banking trojan campaigns—RecruitRat, SaferRat, Astrinox (also identified as Mirax), and Massiv—targeting over 800 applications across banking, crypto, and social media verticals.
  • Threat actors use diverse social engineering lures (fake recruitment sites, streaming offers, fake store/update UIs, smishing) to deliver malicious APK droppers that stage secondary encrypted payloads.
  • Malware families use multi-stage installation via the Session Installation API, overlays and Accessibility Service abuse to auto-grant dangerous permissions and block uninstall attempts for persistence.
  • Advanced evasion includes ZIP-level APK tampering, encrypted strings and payloads (AES/GCM, Base64 segments), DexClassLoader runtime loading, and environment checks to detect rooted/sandboxed devices.
  • Credential theft techniques include phishing overlays, fake lock screens, Accessibility-based keylogging and clipboard/notification interception, plus real-time screen exfiltration via MediaProjection/VNC.
  • C2 communication leverages HTTPS, WebSockets, and custom encryption (e.g., RC4) to blend traffic, deliver commands (e.g., injectZip, enable_anti_delete), and exfiltrate harvested data to centralized attacker dashboards.

MITRE Techniques

  • [T1660 ] Phishing – Threat actors host phishing websites and fraudulent domains to lure victims for APK downloads (‘Threat actors use fraudulent domains meticulously crafted to mimic legitimate e-stores or services.’).
  • [T1624.001 ] Event Triggered Execution: Broadcast Receivers – Malware creates broadcast receivers to react to SMS/events for automated actions (‘Creates a broadcast receiver to receive SMS events’).
  • [T1626.001 ] Abuse Elevation Control Mechanism: Device Administrator Permissions – Uses device administrator capabilities to perform resets, disable lockscreen, and monitor login attempts (‘Factory reset, reset PIN/password, disable lockscreen, monitor login attempts’).
  • [T1422 ] System Network Configuration Discovery – Gathers device network identifiers and public IP for profiling (‘Gathers IMSI/IMEI, interfaces, and public IP’).
  • [T1655.001 ] Masquerading: Match Legitimate Name or Location – Malware impersonates legit apps and system UIs (e.g., fake Play Store, pretend to be Chrome) to reduce user suspicion (‘Pretends to be Chrome and other legit apps’).
  • [T1629.002 ] Device Lockout – Uses DevicePolicyManager.lockNow() and opaque overlays to lock out users while performing malicious actions (‘Locks device using DevicePolicyManager.lockNow()’).
  • [T1516 ] Input Injection – Simulates user interactions, gestures, and automated navigation to authorize permissions or block uninstall attempts (‘Mimics user interaction and gestures’).
  • [T1406.002 ] Obfuscated Files or Information – Employs packers/obfuscation and encrypted strings to hide code and hinder static analysis (‘Uses packers (JSONPacker) to conceal code’).
  • [T1453 ] Abuse Accessibility Features – Leverages Accessibility Services to harvest data, perform keylogging, autogrant permissions, and intercept interactions (‘Uses accessibility to gain access’).
  • [T1517 ] Access Notifications – Intercepts SMS and notification content (OTP/2FA) for credential theft (‘Intercepts OTPs and sensitive notifications’).
  • [T1414 ] Clipboard Data – Extracts clipboard contents to capture copied credentials or tokens (‘Extracts clipboard data’).
  • [T1417.001 ] Keylogging – Captures keystrokes and input fields via Accessibility APIs to harvest credentials (‘Captures keystrokes’).
  • [T1417.002 ] GUI Input Capture – Captures visible UI and input fields via overlays and Accessibility monitoring to steal credentials (‘Captures visible UI’).
  • [T1430 ] Location Tracking – Collects location data as part of victim profiling and reconnaissance (‘Tracks victim location’).
  • [T1418 ] Software Discovery – Enumerates installed applications using PackageManager and intent queries to identify high-value targets (‘Collects installed apps’).
  • [T1421 ] Network Connections Discovery – Enumerates network connections for environment profiling (‘Lists network connections’).
  • [T1426 ] System Information Discovery – Collects device identifiers and system info (IMSI/IMEI) for fingerprinting (‘Collects device info’).
  • [T1513 ] Screen Capture – Uses MediaProjection to record or stream the screen for real-time observation (‘Records screen content’).
  • [T1533 ] Data from Local System – Accesses local files such as photos or cached files for exfiltration (‘Accesses device photos’).
  • [T1512 ] Capture Camera – Takes pictures via camera for additional reconnaissance (‘Takes pictures’).
  • [T1429 ] Audio Capture – Records audio from the device for surveillance (‘Records audio’).
  • [T1616 ] Call Control – Makes or blocks calls to facilitate fraud or persistence (‘Makes calls’).
  • [T1636.002 ] Call Log – Exfiltrates call history from the device (‘Steals call logs’).
  • [T1636.003 ] Contact List – Exports contact lists for broader targeting and phishing (‘Exports contacts’).
  • [T1636.004 ] SMS Messages – Steals SMS messages, including OTPs and verification codes (‘Steals SMS messages’).
  • [T1637 ] Dynamic Resolution – Retrieves payload/C2 endpoints dynamically to avoid static indicators (‘Gets payload endpoint dynamically’).
  • [T1481.002 ] WebSocket C2 – Uses WebSocket connections for persistent full-duplex C2 communication (Astrinox uses WebSocket) (‘Uses websocket to receive commands’).
  • [T1646 ] Exfiltration Over C2 – Sends stolen data to attacker-controlled C2 infrastructure (‘Sends data via C2 server’).
  • [T1582 ] SMS Control – Reads and sends SMS messages to intercept or forward OTPs (‘Reads and sends SMS’).

Indicators of Compromise

  • [Domain ] Distribution and phishing infrastructure – xhire[.]cc (Astrinox phishing domain), fraudulent recruitment/streaming domains and other phishing sites.
  • [Class Name ] In-app artifacts used to cluster families – com.example.safeservice (SaferRat) and metadata identifiers used to name Astrinox/Mirax.
  • [File/Path ] Embedded payload locations and tampering – hidden payloads staged in res/ or assets/ directories, manipulated AndroidManifest.xml and abnormally long ZIP entries.
  • [C2 Commands ] Remote control instructions observed in samples – examples: enable_anti_delete, injectZip, BotAddInfo (and other commands referenced in the repository).
  • [Network/Protocol ] Command & Control indicators – HTTPS endpoints, WebSocket connections (Astrinox), and RC4-encrypted traffic / BotID handshakes used by RecruitRat.

Read more: https://zimperium.com/blog/android-bankers-4-campaigns-in-a-row