zLabs discovered “Fantasy Hub,” an Android Remote Access Trojan sold as Malware‑as‑a‑Service with documentation, builder bot, and instructions to create fake Google Play pages to deploy spyware and phishing windows targeting banks. The malware abuses default SMS handler privileges, uses a native dropper and WebRTC for live streaming, and has been observed targeting institutions including Alfa, PSB, Tbank, and Sber. #FantasyHub #Alfa #Sber
Keypoints
- Fantasy Hub is sold on Russian-language channels as a subscription MaaS with a Telegram bot that manages subscriptions, builders, and a dropper append feature.
- The malware exfiltrates SMS, contacts, call logs, images, videos, and can intercept, reply to, and delete notifications; it also supports live audio/video streaming via WebRTC.
- Sellers provide step‑by‑step instructions and videos on creating counterfeit Google Play pages and fake banking apps to phish credentials for banks such as Alfa, PSB, Tbank, and Sber.
- Technical evasion includes a native dropper in metamask_loader that decrypts and decompresses an encrypted payload (metadata.dat) at runtime using XOR + gzip to reduce static indicators.
- The campaign abuses the Android default SMS handler role to obtain broad messaging and related permissions in a single authorization, facilitating SMS interception and 2FA bypass.
- Malware can generate multiple launcher icons via activity-alias to masquerade as different banking apps and load permissive WebViews with JavaScript bridges to capture credentials.
- Zimperium highlights on-device behavioral detection (MTD/zDefend) as an effective countermeasure to detect Fantasy Hub droppers at install time without cloud lookups.
MITRE Techniques
- [T1660 ] Phishing – Adversaries host external phishing sites to download malicious APKs. Quote: ‘Adversaries host external phishing sites to download malicious APKs’
- [T1624.001 ] Event Triggered Execution: Broadcast Receivers – It creates a broadcast receiver to receive SMS events and outgoing calls. Quote: ‘It creates a broadcast receiver to receive SMS events and outgoing calls’
- [T1655.001 ] Masquerading: Match Legitimate Name or Location – Malware payload is impersonating Google Play icon as an extension. Quote: ‘Malware payload is impersonating Google Play icon as an extension’
- [T1426 ] System Information Discovery – It gets device info such as device name, Android version etc. Quote: ‘It gets device info such as device name,Android version etc’
- [T1636.004 ] Protected User Data: SMS Messages – It exfiltrates user SMS messages and sends it to server. Quote: ‘It exfiltrates user SMS messages and sends it to server’
- [T1636.002 ] Protected User Data: Call Log – Malware steals call logs. Quote: ‘Malware steals call logs’
- [T1636.003 ] Protected User Data: Contact List – Malware steals contacts. Quote: ‘Malware steals contacts’
- [T1409 ] Stored Application Data – Gets list of installed apps from the victim’s device. Quote: ‘Gets list of installed apps from the victim’s device’
- [T1437.001 ] Application Layer Protocol: Web Protocols – Uses HTTP protocol to communicate with C&C servers. Quote: ‘Uses HTTP protocol to communicate with C&C servers.’
- [T1616 ] Call Control – Attackers can make call from victim’s device. Quote: ‘Attackers can make call from victim’s device’
- [T1646 ] Exfiltration Over C2 Channel – Sending exfiltrated data over C&C server. Quote: ‘Sending exfiltrated data over C&C server.’
- [T1582 ] SMS Control – It can read SMS messages. Quote: ‘It can read SMS messages.’
Indicators of Compromise
- [File Names ] Malware components and assets – metadata.dat (encrypted payload in assets), metamask_loader library (native dropper).
- [Domains/IPs ] C2 download endpoints – examples cited in communications to download libs (captured in Burp) — specific domains not listed in summary, full repo contains URLs.
- [Application Artifacts ] Phishing APK and fake store pages – Telegram-clone phishing APK with fabricated reviews, Google Play Update‑masquerading APK.
- [Commands/Capabilities ] Behavior indicators – use of WebRTC libraries downloaded at runtime, requests for default SMS handler permission, and activity-alias entries creating multiple launcher icons.
Read more: https://zimperium.com/blog/fantasy-hub-another-russian-based-rat-as-m-a-a-s