Security researchers discovered “Fantasy Hub,” a new Android remote access trojan (RAT) operating as a Malware-as-a-Service (MaaS) platform. Criminals distribute Fantasy Hub through Russian-speaking Telegram channels.
This trend shows cybercriminals using instant messaging to sell and distribute malicious tools, which lowers the barrier for novice attackers. Zimperium researchers, led by Vishnu Pratapagiri, detailed Fantasy Hub’s comprehensive device control and espionage capabilities. The RAT poses a significant threat to mobile users and enterprise environments.
Fantasy Hub gives attackers extensive control over infected devices. It can collect sensitive user data, exfiltrating SMS messages, contacts, call logs, images, and videos. The RAT also intercepts, replies to, and deletes incoming notifications, letting threat actors maintain stealth and manipulate user interactions undetected.
Fantasy Hub operates as a MaaS model. It provides buyers with instructions to create fake Google Play Store landing pages to distribute trojanized APK files. A bot-driven subscription model manages access: users upload a legitimate application file, and the service returns a version embedded with the malicious payload. The actors offer this service for $200 per week for one active session or $500 per month, making advanced cyber capabilities accessible. Threat actors call their victims “mammoths,” a term common among Russian Telegram-based cybercriminals, The Hacker News reported.
The malware targets financial workflows, displaying fake banking windows and abusing the SMS handler role to intercept two-factor authentication (2FA) codes. “It’s a MaaS product with seller documentation, videos, and a bot-driven subscription model that helps novice attackers by providing a low barrier to entry,” said Vishnu Pratapagiri, a Zimperium researcher. Pratapagiri added that Fantasy Hub poses a direct threat to enterprise customers using BYOD and organizations whose employees rely on mobile banking or sensitive mobile apps. This is because the RAT targets financial workflows and abuses the SMS handler role.
Fantasy Hub’s emergence underscores the growing threat of sophisticated MaaS offerings. Organizations should implement robust mobile security measures, educate employees on identifying trojanized applications, and review BYOD policies, especially concerning mobile banking and sensitive app usage.