Executive Summary
zLabs identified “Fantasy Hub,” an Android Remote Access Trojan sold on Russian-language channels under a Malware-as-a-Service (MaaS) subscription. The developer of this malware promotes its broad capabilities for device control and espionage. These capabilities include the exfiltration of SMS messages, contacts, call logs, and bulk theft of images and videos. The malware can also intercept, reply, and delete incoming notifications, among other features.
The spyware is promoted online, with details of all its capabilities, and includes a link to the bot at the end of the advertisement. Threat actors receive instructions on how to create fake Google Play pages and bypass restrictions, making the malware more difficult to detect.
The malware has also been observed targeting financial institutions such as Alfa, PSB, Tbank, and Sber. In these instances, threat actors deploy fake windows to illicitly obtain banking credentials. The malware seller even provides instructions, including a video, on how to create a fake application with customized themes.
Why this Matters
Fantasy Hub is not a one-off commodity kit: it’s a MaaS product with seller documentation, videos, and a bot-driven subscription model that helps novice attackers by providing a low barrier to entry. Because it targets financial workflows (fake windows for banks) and abuses the SMS handler role (for intercepting 2-factor SMS), it poses a direct threat to enterprise customers using BYOD and to any organization whose employees rely on mobile banking or sensitive mobile apps.
Advertisement from the Seller
The threat actor has advertised its core functionalities online, referring to its victims as "mammoths." Notable capabilities include advanced phishing techniques targeting banks, live video and audio streaming via WebRTC, and the ability to photograph victims.
Operators based in Russia advertise Fantasy Hub as an Android RAT offered via a MaaS model (Figure 1).
Fig. 1: Advertisement from the seller
Distribution Method: A Highly Crafted Google Play Store Pages
The seller's instruction page outlines the necessary steps (Figure 2) for creating a counterfeit Google Store page.
Fig. 2: Necessary steps to follow from Telegram to create phishing page
Buyers can select the icon, name, and page they wish to impersonate to receive a specific page. We identified multiple phishing pages, including a Telegram clone with fabricated reviews (Figure 3) designed to appear legitimate to casual users.
Fig. 3: Telegram phishing page along with fake reviews
Fantasy Hub: The Art of Social Engineering and its Subscription Method
Official ads enumerate features and direct buyers to a Telegram bot that manages paid subscriptions and builder access (Figures 4–5). The bot’s “Dropper” option lets buyers upload any APK and returns a version with the Fantasy Hub dropper appended.
Fig. 4: Various option in the bot
Fig. 5: Subscription plan rates
Russian Language Command and Control Panel
The command and control panel displays various details, including the remaining subscription time, online/offline (Figure 6) device status, and device-specific information.
This information encompasses the device's brand, model, the last status update time, and the user ID to whom the device is assigned.
If the system can automatically determine a number, it will appear in the corresponding slot: Slot 0 represents SIM 1, and Slot 1 represents SIM 2.
Fig. 6: C2 panel with different device information
Telegram Integration to Receive Notifications
Telegram integration is documented: sellers instruct buyers to create a bot, capture the chat ID, and configure tokens (Figure 7) to route general and high-priority alerts to separate chats. This design closely mirrors HyperRat, an Android RAT that was detailed last month.
Fig. 7: Sellers guiding the attackers on creating telegram channels to receive notifications
Victim’s Device Management
The Threat Actors provided a comprehensive guide on utilizing each command available on the compromised device, complete with clear descriptions and instructions for their use.
The below figure shows various commands tools such as SMS, Contacts, calls, Push Notifications (Figure 8) and many more.
Fig. 8: Command tools to operate on victim’s device
Technical Analysis
A prominent evasion tactic involves a native dropper embedded within the metamask_loader library.
This library, at runtime, accesses and decrypts an encrypted asset named metadata.dat (Figure 9).
Fig. 9: Malware loading encrypted file from the assets
The decryption process utilizes a custom XOR routine (Figure 10) based on a fixed 36-byte key pattern. Following decryption, the bytes are decompressed using gzip (zlib with windowBits=31) and the resulting payload is then saved to disk.
This method aims to reduce static indicators by encrypting the payload within assets and only decoding it in native code during runtime.
Fig. 10: Decryption routine used by the spyware
One Permission To Rule : Abusing Default SMS Privileges
Similar to ClayRat Android spyware, this malware exploits default SMS privileges. By gaining the SMS handler role, the malware acquires extensive access to SMS content and messaging functions. This enables the spyware to read, store, and forward a large volume of text messages. Unlike individual runtime permissions that necessitate separate approval for each capability, the SMS handler role unifies multiple powerful permissions such as Contacts, Camera, Files access into a single authorization step.
The dropper masquerades as a Google Play Update (Figure 11), lowers suspicion. Recent samples show the payload checking the installation environment, including root detection, to evade dynamic analysis tools.
Fig. 11: From Google play update to requesting default SMS permission
Use of WebRTC for Live Audio/Video Streaming
This Spyware uses an open-source project that enables real-time communication called WebRTC, which is meant for real-time video/audio streaming. The malware uses it to stream camera and microphone content in real time to the C2 using a silent connection.
While it’s running, a small “Live stream active” message is shown so the system keeps it working. Once it’s stopped, it turns off the camera and microphone and closes the connection. To set up this the malware downloads required libs (Figure 12) from the command and control server.
Fig. 12: Captured Burp suite communication to download additional libs
Phishing Windows to Target Financial Institutions
A notable feature of the malware is its ability to deploy pre-built or custom phishing windows designed to target various banks. Primarily, it focuses on institutions such as Alfa, PSB, Tbank, and Sber. Furthermore, the malware's vendors have indicated that attackers possess the capability to create additional custom windows, allowing them to target a broader range of financial institutions.
The malware leverages activity-alias entries to generate numerous launcher icons and labels, all directed to a single component. This allows one APK to masquerade as various banking applications (one example in Figure 13).
When any of these icons is activated, a permissive WebView opens, displaying a phishing page.
This page then exposes a JavaScript bridge and runtime customization options (for title/icon) to tailor the user interface. Subsequently, the stolen credentials are exfiltrated and transmitted to a Command and Control (C2) server.
The advertisement video from the seller demonstrated the entire process, including the setup of a new custom window (Figure 14) along with custom pin, password and card detail fields.
Fig. 13: Alfa-Bank fake window on the victim's screen to steal credentials
Fig. 14: Seller describing ways to create custom window with pin,password etc
Zimperium vs Fantasy Hub
The rapid rise of Malware-as-a-Service (MaaS) operations like Fantasy Hub shows how easily attackers can weaponize legitimate Android components to achieve full device compromise. Unlike older banking trojans that rely solely on overlays, Fantasy Hub integrates native droppers, WebRTC-based live streaming, and abuse of the SMS handler role to exfiltrate data and impersonate legitimate apps in real time. This blend of social engineering and deep-system control makes it especially dangerous in BYOD and consumer-facing environments where app-store trust is assumed.
Zimperium’s Mobile Threat Defense (MTD) and Mobile Runtime Protection (zDefend) provide on-device, behavioral detection that identifies Fantasy Hub and similar droppers the moment they are installed on the device without requiring cloud look up. Our dynamic detection engine provides zero-day protection even as threat actors repackage and resell the same core toolkit under new brands. As MaaS offerings continue to evolve, enterprises must treat every mobile device as a potential entry point.
Zimperium’s mission is to stay ahead of these campaigns, providing continuous, on-device defense against both current and future iterations of Android remote-access and espionage malware.
Complete List of Commands Used by the Malware
The table below provides a comprehensive list of commands utilized by the malware, detailing their functions and the capabilities they enable on compromised devices.
|
Command |
Description |
|
addContact |
Adds contact in the device |
|
getContacts |
Steals contacts from the victim’s phone |
|
app_restart |
Halts the C2 and restarts it after 1.2 seconds |
|
createImagesZip |
Creates a zip for images |
|
replyToNotification |
Replies to the notification |
|
deleteNotification |
Deletes the notification |
|
deleteZipArchive |
Deletes a specific zip file entry recorded in SharedPreferences |
|
downloadMediaFile |
Downloads Media files from the victim’s device |
|
executeCommand |
execute either USSD codes or phone calls silently using a specific SIM card from victim’s device |
|
getCallLogs |
Exfiltrates calllogs and sends to C2 |
|
getDeviceInfo |
Sends all device info such as IP,brand to C2 |
|
getMediaFiles |
Sends Media files such as videos and photos to the server |
|
sendSms |
Sends SMS from the device |
|
getSystemInfo |
Service that receives intents and forwards harvested data to a remote dispatcher |
|
getZipArchivesList |
Retrieves the list of stored zip archives. |
|
requestSystemAsset |
Starts a local service to capture/stream the requested sensor media (with specified sensor and quality). |
|
webrtc_stream |
Sets up a WebRTC peer connection on Android that captures camera (front/back) and microphone streams |
|
selfDestruct |
Kill switch to the malware such as marking the app as permanently disabled,cancels alarms and background tasks, stops all running services, disables receivers and components, wipes app data |
|
sendLocalFile |
Fetches a local file and sends it to the C2 |
|
sendUssdWithChoice |
Allows the app to initiate USSD requests dialing special service codes on behalf of the user |
|
setInvisibleIntercept |
Intercepts device activity by saving invisible_intercept_enabled in SharedPreferences |
|
startDeviceStateMonitoring |
Samples sensors (accelerometer, gyro, light, proximity), infers device posture/state (hand/table/pocket, motion, screen on/off), and periodically broadcasts those state updates to the server. |
|
stopSystemAsset |
Stops the device stream |
MITRE ATT&CK Techniques
|
Tactic |
ID |
Name |
Description |
|
Initial Access |
Phishing |
Adversaries host external phishing sites to download malicious APKs |
|
|
Persistence |
Event Triggered Execution: Broadcast Receivers |
It creates a broadcast receiver to receive SMS events and outgoing calls |
|
|
Defense Evasion |
Masquerading: Match Legitimate Name or Location |
Malware payload is impersonating Google Play icon as an extension |
|
|
Discovery |
System Information Discovery |
It gets device info such as device name,Android version etc |
|
|
Collection |
Protected User Data: SMS Messages |
It exfiltrates user SMS messages and sends it to server |
|
|
Protected User Data: Call Log |
Malware steals call logs |
||
|
Protected User Data: Contact List |
Malware steals contacts |
||
|
Stored Application Data |
Gets list of installed apps from the victim’s device |
||
|
Command and Control |
Application Layer Protocol: Web Protocols |
Uses HTTP protocol to communicate with C&C servers. |
|
|
Call Control |
Attackers can make call from victim’s device |
||
|
Exfiltration |
Exfiltration Over C2 Channel |
Sending exfiltrated data over C&C server. |
|
|
Impact |
SMS Control |
It can read SMS messages. |
|
|
Call Control |
TAs can make call from victim’s device |
Indicators of Compromise
The full list of IOCs can be found in this repository.
