Cybersecurity researchers have disclosed details of a new Android remote access trojan (RAT) called Fantasy Hub that’s sold on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model.
According to its seller, the malware enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos, as well as intercept, reply, and delete incoming notifications.
“It’s a MaaS product with seller documentation, videos, and a bot-driven subscription model that helps novice attackers by providing a low barrier to entry,” Zimperium researcher Vishnu Pratapagiri said in a report last week.
“Because it targets financial workflows (fake windows for banks) and abuses the SMS handler role (for intercepting 2-factor SMS), it poses a direct threat to enterprise customers using BYOD and to any organization whose employees rely on mobile banking or sensitive mobile apps.”
The threat actor, in their advertisement for Fantasy Hub, refers to victims as “mammoths,” a term often used by Telegram-based cybercriminals operating out of Russia.
Customers of the e-crime solution receive instructions related to creating fake Google Play Store landing pages for distribution, as well as the steps to bypass restrictions. Prospective buyers can choose the icon, name, and page they wish to receive a slick-looking page.
The bot, which manages paid subscriptions and builder access, is also designed to let threat actors upload any APK file to the service and return a trojanized version with the malicious payload embedded into it. The service is available for one user (i.e., one active session) for a weekly price of $200 or for $500 per month. Users can also opt for a yearly subscription that costs $4,500.
The command-and-control (C2) panel associated with the malware provides details about the compromised devices, along with information about the subscription status itself. The panel also offers the attackers the ability to issue commands to collect various kinds of data.
“Sellers instruct buyers to create a bot, capture the chat ID, and configure tokens to route general and high-priority alerts to separate chats,” Zimperium said. “This design closely mirrors HyperRat, an Android RAT that was detailed last month.”
As for the malware, it abuses the default SMS privileges like ClayRAT to obtain access to SMS messages, contacts, camera, and files. By prompting the user to set it as the default SMS handling app, it allows the malicious program to obtain multiple powerful permissions in one go rather than having to ask for individual permissions at runtime.
The dropper apps have been found to masquerade as a Google Play update to lend it a veneer of legitimacy and trick users into granting it the necessary permissions. Besides using fake overlays to obtain banking credentials associated with Russian financial institutions such as Alfa, PSB, T-Bank, and Sberbank, the spyware relies on an open-source project to…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
