A new Android remote access trojan (RAT) named Fantasy Hub is being sold as a Malware-as-a-Service (MaaS) on Russian-speaking Telegram channels. This sophisticated malware allows hackers to gain extensive control over infected devices, enabling them to steal sensitive data, intercept communications, and even conduct real-time surveillance. The service lowers the entry barrier for novice attackers, posing a significant threat to individuals and businesses alike.

Key Takeaways

• Fantasy Hub is an Android RAT offered as a Malware-as-a-Service (MaaS) on Telegram.

• It allows attackers to steal SMS messages, contacts, call logs, images, videos, and intercept notifications.

• The malware targets financial workflows by using fake bank login pages and intercepts two-factor authentication SMS messages.

• It employs advanced evasion techniques, including native droppers and WebRTC for real-time streaming.

• The service is subscription-based, with weekly, monthly, and yearly options.

Fantasy Hub: A MaaS Operation

Fantasy Hub operates on a Malware-as-a-Service (MaaS) model, making it accessible to less experienced cybercriminals. Threat actors advertise the malware on Telegram, providing customers with comprehensive documentation, video tutorials, and a bot-driven subscription system. This service allows users to create fake Google Play Store landing pages and even upload any APK file to have it trojanized with the malicious payload.

The pricing for Fantasy Hub ranges from $200 per week to $4,500 per year, offering different tiers of access. The command-and-control (C2) panel provides attackers with details about compromised devices and allows them to issue commands for data collection.

Capabilities and Targeting

This Android RAT is designed to exfiltrate a wide range of sensitive information, including SMS messages, contacts, call logs, images, and videos. It can also intercept and manage incoming notifications, posing a direct threat to users relying on mobile banking and sensitive applications. The malware specifically targets financial institutions by presenting fake login windows for banks like Alfa, PSB, T-Bank, and Sberbank, aiming to steal banking credentials.

Fantasy Hub abuses the default SMS handler role to gain extensive permissions, including access to contacts, camera, and files. It often masquerades as a Google Play update to trick users into granting these permissions. Furthermore, it utilizes WebRTC technology to stream camera and microphone content in real-time, enabling live surveillance.

Evasion and Distribution

To avoid detection, Fantasy Hub employs sophisticated evasion techniques. It uses a native dropper embedded within a metamask_loader library and a two-stage encryption process involving XOR encryption and gzip decompression. The dropper apps are often disguised as legitimate Google Play updates. Recent samples have also shown root detection capabilities to evade analysis environments.

The distribution method involves creating fake Google Play Store landing pages. The threat actor refers to victims as "mammoths," a term commonly used by Russian cybercriminals. The MaaS model, coupled with these advanced features, signifies a growing trend of sophisticated and accessible cybercrime tools targeting Android users.

Sources

• Android Trojan 'Fantasy Hub' Malware Service Turns Telegram Into a Hub for Hackers, The Hacker News.

• New Android Malware ‘Fantasy Hub’ Intercepts SMS Messages, Contacts and Call Logs, CyberSecurityNews.