Fantasy Hub: How Telegram Became a Haven for Cybercriminals

Fantasy Hub: The New Android Remote Access Trojan Threat

A recent discovery by cybersecurity researchers has unveiled a new Android remote access trojan (RAT) known as Fantasy Hub. This malicious software is being sold on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model.

The capabilities of Fantasy Hub are concerning, as it allows threat actors to remotely control devices and conduct espionage activities. This includes collecting a wide range of sensitive data such as SMS messages, contacts, call logs, images, and videos. Additionally, the malware can intercept, reply to, and delete incoming notifications.

Zimperium researcher Vishnu Pratapagiri highlighted the sophistication of Fantasy Hub, describing it as a MaaS product with comprehensive seller documentation, instructional videos, and a bot-driven subscription model. This setup lowers the barrier to entry for novice attackers and poses a direct threat to enterprise customers using Bring Your Own Device (BYOD) policies, as well as organizations whose employees engage in mobile banking or use sensitive mobile apps.

The Modus Operandi of Fantasy Hub

The threat actor promoting Fantasy Hub on Telegram refers to potential victims as “mammoths,” a term commonly used by cybercriminals in the Russian-speaking underground community. Customers of this illicit service are provided with detailed instructions on creating fake Google Play Store landing pages for distributing the malware. They are also guided on how to bypass security restrictions, enabling them to customize the appearance of the malicious pages to deceive users.

For a fee, users of Fantasy Hub gain access to a bot that manages paid subscriptions and builder access. This tool allows threat actors to upload any Android Package (APK) file, which is then returned with a trojanized version embedded with malicious payloads. The pricing model offers a weekly subscription for $200 per user, a monthly subscription for $500, or a yearly subscription for $4,500.

The Command-and-Control Infrastructure

The command-and-control (C2) panel associated with Fantasy Hub provides threat actors with insights into compromised devices and subscription status. It also grants them the ability to issue commands to collect various types of data from the infected devices. Sellers of the malware advise buyers to create a bot, capture the chat ID, and configure tokens to route alerts to separate chats, a strategy reminiscent of the Android RAT known as HyperRat.

As for the malware itself, Fantasy Hub leverages default SMS privileges to gain access to sensitive data such as messages, contacts, camera feeds, and files. By coercing users into setting it as the default SMS handler app, the malicious program obtains multiple powerful permissions in a single action, bypassing the need for individual permission requests at runtime.

Sophisticated Tactics and Malicious Activities

To evade detection and lure unsuspecting users, Fantasy Hub employs deceptive tactics such as masquerading as a legitimate Google Play update. This ruse aims to trick users into granting necessary permissions to the malware. Additionally, the trojan uses fake overlays to steal banking credentials from users of Russian financial institutions like Alfa, PSB, T-Bank, and Sberbank.

Furthermore, Fantasy Hub utilizes an open-source project to stream camera and microphone content in real-time through WebRTC. This real-time spying capability enhances the malware’s ability to exfiltrate data and impersonate legitimate apps seamlessly.

The Escalating Android Malware Landscape

The rise of Malware-as-a-Service operations like Fantasy Hub underscores the ease with which attackers can exploit legitimate Android components to compromise devices fully. Recent reports from Zscaler ThreatLabz indicate a 67% year-over-year increase in Android malware transactions, driven by the proliferation of sophisticated spyware and banking trojans.

Notable Android malware families identified during this period include Anatsa (also known as TeaBot and Toddler), Void (also known as Vo1d), and a newly discovered Android RAT named Xnotice. The latter specifically targeted job seekers in the oil and gas sector across the Middle East and North Africa, posing as job application apps distributed through fake employment portals.

Continued Threats and Evolving Tactics

These malicious entities employ advanced banking trojans like Anatsa, ERMAC, and TrickMo, which often disguise themselves as legitimate utilities or productivity apps on official and third-party app stores. Once installed, these trojans use sophisticated techniques to capture usernames, passwords, and two-factor authentication (2FA) codes required for transaction authorization.

Moreover, a recent advisory from CERT Polska highlighted the emergence of new Android malware samples called NGate (or NFSkate) targeting users of Polish banks. This malware conducts NFC relay attacks to steal card details. Victims receive phishing emails or SMS messages purporting to be from their banks, urging them to install malicious apps. Upon installation, the app covertly captures NFC data from the victim’s payment card, enabling unauthorized cash withdrawals at ATMs.

Conclusion

The landscape of Android malware continues to evolve, with threat actors leveraging increasingly sophisticated tactics to compromise devices and steal sensitive information. The emergence of malware-as-a-service models like Fantasy Hub underscores the need for heightened vigilance and robust cybersecurity measures to safeguard against such threats.