462/68 Thursday, November 13, 2025
Cybersecurity researchers from Zimperium have uncovered a new Android malware called Fantasy Hub, a Remote Access Trojan (RAT) currently being sold openly on Russian-language Telegram channels under a Malware-as-a-Service (MaaS) model. The malware is designed for data theft and full device control, capable of collecting sensitive information such as SMS messages, contacts, call logs, photos, and videos. It can also intercept, respond to, or delete incoming notifications. Most critically, Fantasy Hub targets financial transactions by creating fake overlay screens that mimic banking apps to steal user credentials and by hijacking SMS permissions to capture two-factor authentication (2FA) codes.
What makes Fantasy Hub particularly dangerous is its service-based distribution model, which dramatically lowers the barrier to entry for attackers with little technical skill. The operators provide detailed documentation, video tutorials, and even a subscription-based bot management system (starting at $200 per week). This bot automates customer onboarding, allowing subscribers to upload APK files, which are then trojanized with the malicious payload. The malware is often disguised as a “Google Play update” to gain user trust and abuses the Android SMS handler privilege (default SMS app) to gain extensive access permissions — including SMS, camera, and file access — with a single approval prompt.
The emergence of Fantasy Hub aligns with a Zscaler ThreatLabz report showing a 67% year-over-year increase in Android malware activity (June 2024–May 2025), identifying 239 malicious apps on Google Play with over 42 million combined downloads. Another major threat, NGate (NFSkate), has also been reported by CERT Polska, targeting banking users in Poland using an advanced NFC relay attack. Victims are tricked into installing a fake “card verification” app that instructs them to tap their credit card to the back of their phone — enabling the malware to intercept NFC data and relay it to an attacker’s device at an ATM, allowing real-time cash withdrawals without the physical card.
Source https://thehackernews.com/2025/11/android-trojan-fantasy-hub-malware.html
