Fantasy Hub: The New Android Trojan Exploiting Telegram for Cyber Attacks
Cybersecurity experts have recently uncovered a sophisticated Android remote access trojan (RAT) named Fantasy Hub, which is being marketed on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model. This development signifies a concerning trend in the cybercriminal landscape, where malicious software is commodified and made accessible to a broader range of threat actors.
Overview of Fantasy Hub
Fantasy Hub is a potent malware that grants attackers extensive control over infected Android devices. Its capabilities include:
– Data Exfiltration: The malware can harvest SMS messages, contact lists, call logs, images, and videos from the compromised device.
– Notification Manipulation: It has the ability to intercept, reply to, and delete incoming notifications, allowing attackers to manipulate communications and potentially bypass security alerts.
According to Zimperium researcher Vishnu Pratapagiri, Fantasy Hub is designed to be user-friendly for cybercriminals, featuring comprehensive documentation, instructional videos, and a bot-driven subscription model. This approach lowers the entry barrier for novice attackers, enabling them to execute sophisticated attacks with minimal technical expertise.
Distribution and Subscription Model
The operators of Fantasy Hub refer to their victims as mammoths, a term commonly used among Russian-speaking cybercriminals on Telegram. Subscribers to this malicious service receive detailed instructions on creating counterfeit Google Play Store landing pages to distribute the malware. They can customize the app’s icon, name, and associated page to enhance the illusion of legitimacy.
A unique feature of Fantasy Hub is its bot-driven subscription system, which allows attackers to upload any APK file and receive a trojanized version embedded with the malicious payload. The service is priced at $200 per week or $500 per month for a single active session, with an annual subscription available for $4,500.
Command-and-Control Infrastructure
The command-and-control (C2) panel associated with Fantasy Hub provides attackers with comprehensive information about compromised devices and their subscription status. It also enables the issuance of commands to collect various types of data from the infected devices.
To facilitate communication, sellers instruct buyers to create a bot, capture the chat ID, and configure tokens to route general and high-priority alerts to separate chats. This design closely mirrors that of HyperRat, another Android RAT detailed in previous reports.
Technical Capabilities and Exploitation
Fantasy Hub exploits default SMS privileges to access messages, contacts, camera, and files. By prompting users to set it as the default SMS handling app, the malware gains multiple powerful permissions simultaneously, avoiding the need to request individual permissions at runtime.
The dropper apps associated with Fantasy Hub often masquerade as Google Play updates, lending an air of legitimacy and tricking users into granting the necessary permissions. Beyond using fake overlays to obtain banking credentials from Russian financial institutions such as Alfa, PSB, T-Bank, and Sberbank, the spyware leverages an open-source project to stream camera and microphone content in real-time over WebRTC.
Implications and Broader Context
The emergence of Fantasy Hub underscores the rapid rise of Malware-as-a-Service operations, demonstrating how easily attackers can weaponize legitimate Android components to achieve full device compromise. Unlike older banking trojans that relied solely on overlays, Fantasy Hub integrates native droppers, WebRTC-based live streaming, and abuse of the SMS handler role to exfiltrate data and impersonate legitimate apps in real time.
This development comes amid reports from Zscaler ThreatLabz indicating a 67% year-over-year increase in Android malware transactions, driven by sophisticated spyware and banking trojans. Between June 2024 and May 2025, 239 malicious applications were flagged on the Google Play Store, collectively downloaded 42 million times.
Notable Android malware families observed during this period include Anatsa (also known as TeaBot and Toddler), Void (also known as Vo1d), and a previously unseen Android RAT dubbed Xnotice. These malware strains have targeted job seekers in the oil and gas sector in the Middle East and North Africa by masquerading as job application apps distributed via fake employment portals.
Once installed, these malware variants steal banking credentials through overlays and collect other sensitive data such as multi-factor authentication codes, SMS messages, and screenshots. Threat actors deploy sophisticated banking trojans like Anatsa, ERMAC, and TrickMo, often disguising them as legitimate utilities or productivity apps on both official and third-party app stores. Once installed, they use highly deceptive techniques to capture usernames, passwords, and even two-factor authentication codes needed to authorize transactions.
Emerging Threats: NGate Malware
In addition to Fantasy Hub, CERT Polska has issued an advisory about new samples of Android malware called NGate (also known as NFSkate) targeting users of Polish banks to steal card details via Near Field Communication (NFC) relay attacks. Links to the malicious apps are distributed via phishing emails or SMS messages that purport to come from the banks, warning recipients of a technical problem or security incident and urging them to install the app.
Upon launching the app, victims are prompted to verify their payment card directly within the app by tapping it on the back of the Android device. However, doing so causes the app to stealthily capture the card’s NFC data and exfiltrate it to an attacker-controlled server or directly to a companion app installed by the threat actor, who can then withdraw cash from an ATM.
The campaign is designed to enable unauthorized cash withdrawals at ATMs using victims’ own payment cards. Criminals don’t physically steal the card; they relay the card’s NFC traffic from the victim’s Android phone to a device the attacker controls at an ATM.
Conclusion
The discovery of Fantasy Hub highlights the evolving landscape of Android malware, where cybercriminals increasingly leverage legitimate platforms like Telegram to distribute sophisticated tools under a MaaS model. This trend poses significant challenges for cybersecurity professionals and underscores the need for continuous vigilance and advanced security measures to protect against such threats.
