Dallas, TX: zLabs researchers have uncovered Fantasy Hub, an Android Remote Access Trojan (RAT) sold on Russian-language channels as a Malware-as-a-Service (MaaS) subscription. The spyware offers a full suite of espionage and device-control features, including SMS, contact, and call-log theft; live audio/video streaming; and fake banking windows designed to steal credentials.
Unlike isolated malware kits, Fantasy Hub is a turnkey service complete with seller documentation, how-to videos, and a Telegram-based subscription bot. Buyers receive detailed instructions for creating counterfeit Google Play pages, app icons, and names to impersonate legitimate apps, including cloned pages of popular services such as Telegram, to trick users into installing the dropper.
Key Findings
- Subscription-based model: Lowers the barrier to entry with documentation, bot management, and automated build options.
- Financial targeting: Used to impersonate banks including Alfa, PSB, Tbank, and Sber to steal mobile banking credentials.
- Abuse of SMS privileges: Exploits Android’s default SMS handler role to intercept two-factor messages and forward content without user awareness.
- Evasion tactics: Disguised as a Google Play update, the malware checks device environments to avoid analysis and detection.
Fantasy Hub’s MaaS framework highlights how sophisticated mobile spyware is being commoditized. With built-in instructions and automation, even inexperienced attackers can deploy advanced campaigns targeting financial workflows and enterprise BYOD environments.
“Fantasy Hub shows how professionalized seller support is turning complex spyware into accessible services,” said Vishnu Pratapagiri, zLabs researcher. “Organizations must assume even legitimate-looking apps could hide malicious droppers capable of intercepting authentication and sensitive data.”
