Cybersecurity researchers have disclosed details of an Android remote access trojan (RAT) called Fantasy Hub that is being offered on Russian‑speaking Telegram channels under a Malware‑as‑a‑Service model, according to a report by Zimperium researcher Vishnu Pratapagiri.
The seller advertises the malware as capable of full device control and espionage, including collecting SMS messages, contacts, call logs, images and video, and intercepting, replying to and deleting incoming notifications. Zimperium researchers say Fantasy Hub targets financial workflows and abuses the SMS handler role to intercept two‑factor authentication messages, creating a risk for organisations using bring‑your‑own‑device policies and employees who rely on mobile banking.
In its advertising, the threat actor uses a term for victims commonly seen in Russian‑language cybercrime channels, linking to reporting on that usage. Customers receive instructions for creating fake Google Play Store landing pages and bypassing restrictions, and a bot manages paid subscriptions and access to a builder that can embed malicious payloads into uploaded APKs. The service is offered for one active user session at prices of $200 per week, $500 per month or $4,500 per year, and its command‑and‑control panel shows details on compromised devices, subscription status and allows operators to issue commands; Zimperium says the design closely mirrors HyperRat.
Technically, the malware abuses default SMS privileges in a manner similar to ClayRAT, prompting users to set it as the default SMS app to obtain multiple powerful permissions at once. Dropper apps have been observed masquerading as a Google Play update and using fake overlays to capture banking credentials for several Russian banks, and the spyware reportedly uses an open‑source WebRTC project to stream camera and microphone content in real time.
Pratapagiri said the emergence of MaaS operations such as Fantasy Hub demonstrates how legitimate Android components can be weaponised to achieve full device compromise, combining native droppers, live streaming and SMS‑handler abuse instead of relying solely on overlay techniques. Separately, Zscaler ThreatLabz reported a 67% year‑on‑year increase in Android malware transactions and said 239 malicious applications were flagged on the Google Play Store, with about 42 million cumulative downloads between June 2024 and May 2025.
Researchers and industry trackers have also observed other Android banking trojans and RATs in recent months, including Anatsa (aka TeaBot/Toddler), Void (Vo1d), a newly reported RAT called Xnotice, and families such as ERMAC and TrickMo. CERT Polska has additionally published an advisory about samples of Android malware named NGate (aka NFSkate) that use NFC relay techniques to capture payment card data and enable unauthorised ATM withdrawals.