New Android RAT ‘Fantasy Hub’ sold as Malware-as-a-Service across Russian Telegram channels

Cybersecurity researchers have announced a new Android RAT called Fantasy Hub that is being distributed as a subscription service to criminals. It is on sale on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model. 

According to reports, it turns any app into spyware, pretends to be a Play Store update, hijacks SMS to steal 2FA, and streams camera and microphone in real-time via WebRTC. The Malware-as-a-Service model allows it to lower the technical barriers for attackers with minimal expertise.

The spyware gives hackers the ability to read 2FA messages, get into bank accounts, and watch devices in real time.

Fantasy Hub teaches criminals how to create fake Google Play Store

According to its seller, the malware allows device control and espionage. This gives threat actors access to SMS messages, contacts, call logs, images, and videos, as well as the ability to intercept, reply to, and delete incoming alerts.

The malware exploits the default SMS privileges, similar to ClayRAT, to gain access to SMS messages, contacts, the camera, and files. By prompting the user to set it as the default SMS handling app, the malicious program can obtain multiple powerful permissions in one go, rather than having to request individual permissions at runtime.

Criminals who are customers of the e-crime solution receive instructions related to creating fake Google Play Store landing pages for distribution, as well as the steps to bypass restrictions. Prospective buyers can choose the icon, name, and page they wish to receive a slick-looking page.

The bot handles paid subscriptions and builder access. It’s also designed so that threat actors can upload any APK file to the service and receive a trojanized version that contains the malware built in. The service is available per user for a weekly price of $200 or a monthly price of $500. Users can also opt for a yearly subscription that costs $4,500.

The command-and-control (C2) panel associated with the malware provides details about the compromised devices, as well as information regarding the subscription status itself. The panel also provides attackers with the ability to issue commands to collect various types of data.

Fantasy Hub targets mobile banking users

The dropper apps have been found to act as a Google Play update, lending it a veneer of legitimacy and tricking users into granting the necessary permissions. It then uses fake overlays to obtain banking credentials associated with Russian financial institutions such as Alfa, PSB, T-Bank, and Sberbank.

Fantasy Hub integrates native droppers, WebRTC-based live streaming, and exploits the SMS handler role to steal data and impersonate legitimate apps in real-time.

According to Zimperium researcher Vishnu Pratapagiri, the spyware poses a direct threat to enterprise customers using BYOD. In addition, organization whose employees rely on mobile banking or sensitive mobile apps are in trouble.

 This comes after Zscaler ThreatLabz revealed that threat actors are using sophisticated banking trojans, such as Anatsa, ERMAC, and TrickMo. They often resemble genuine utilities or productivity apps in both official and third-party app stores. 

Once they’re installed, they employ very sneaky methods to obtain usernames, passwords, and even two-factor authentication (2FA) codes, which are required to complete transactions.

Additionally, CERT Polska has warned about new cases of Android malware called NGate, which attempts to steal card information from Polish bank users through Near Field Communication (NFC) relay attacks. 

When the victim opens the app in question, they are asked to prove their payment card by tapping it on the back of their Android device. The app then discreetly collects the card’s NFC data and sends it to a server controlled by the attacker or straight to a companion app installed by the threat actor who wants to get cash from an ATM.

Reports say that transactions using Android malware have gone up by 67% every year. They are powered by advanced spyware and banking trojans. About 239 malicious apps have been reported on the Google Play Store. Between June 2024 and May 2025, the apps were downloaded a total of 42 million times.

If you're reading this, you’re already ahead. Stay there with our newsletter.