Android Trojan 'fantasy Hub' Malware Service Turns Telegram Into A...
Cybersecurity researchers have disclosed details of a new Android remote access trojan (RAT) called Fantasy Hub that's sold on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model.
According to its seller, the malware enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos, as well as intercept, reply, and delete incoming notifications.
"It's a MaaS product with seller documentation, videos, and a bot-driven subscription model that helps novice attackers by providing a low barrier to entry," Zimperium researcher Vishnu Pratapagiri said in a report last week.
"Because it targets financial workflows (fake windows for banks) and abuses the SMS handler role (for intercepting 2-factor SMS), it poses a direct threat to enterprise customers using BYOD and to any organization whose employees rely on mobile banking or sensitive mobile apps."
The threat actor, in their advertisement for Fantasy Hub, refers to victims as "mammoths," a term often used by Telegram-based cybercriminals operating out of Russia.
Customers of the e-crime solution receive instructions related to creating fake Google Play Store landing pages for distribution, as well as the steps to bypass restrictions. Prospective buyers can choose the icon, name, and page they wish to receive a slick-looking page.
The bot, which manages paid subscriptions and builder access, is also designed to let threat actors upload any APK file to the service and return a trojanized version with the malicious payload embedded into it. The service is available for one user (i.e., one active session) for a weekly price of $200 or for $500 per month. Users can also opt for a yearly subscription that costs $4,500.
The command-and-control (C2) panel associated with the malware provides details about the compromised devices, along with information about the subscription status itself. The panel also offers the attackers the ability to issue commands to collect various kinds of data.
"Sellers instruct buyers to create a bot, capture the chat ID, and configure tokens to route general and high-priority alerts to separate chats," Zimperium said. "This design closely mirrors HyperRat, an Android RAT that was detailed last month."
As for the malware, it abuses the default SMS privileges like ClayRAT to obtain access to SMS messages, contacts, camera, and files. By prompting the user to set it as the default SMS handling app, it a
Source: The Hacker News
