Pierluigi Paganini
November 11, 2025
Zimperium researchers uncovered Fantasy Hub, a Russian-sold Android RAT offered as Malware-as-a-Service, enabling spying, device control, and data theft via Telegram.
The malware allows operators to take over infected devices, gathering SMS messages, contacts, call logs, images, and videos. The malicious code also allows attackers to intercept, reply, and delete incoming notifications, among other features.
The authors advertise the spyware’s capabilities online and link to a bot that manages paid subscriptions and builder access, plus step-by-step guides (and a video) to create fake Google Play pages and evade detection.
Attackers use it to target banks, displaying counterfeit login windows for Alfa, PSB, Tbank, and Sber to steal credentials.
“Fantasy Hub is not a one-off commodity kit: it’s a MaaS product with seller documentation, videos, and a bot-driven subscription model that helps novice attackers by providing a low barrier to entry.” reads the report published by Zimperium. “Because it targets financial workflows (fake windows for banks) and abuses the SMS handler role (for intercepting 2-factor SMS), it poses a direct threat to enterprise customers using BYOD and to any organization whose employees rely on mobile banking or sensitive mobile apps.”
The Command & Control panel shows subscription time, device online/offline status, brand/model, last update, user ID, and SIM slot info. Sellers document Telegram integration (bots, chat IDs, tokens) to receive alerts and provide a full guide to manage victims, commands for SMS, contacts, calls, push notifications and more, allowing buyers to remotely operate and monitor compromised devices.
The analysis of the malware reveals the use of a native dropper inside a metamask_loader library that decrypts an embedded metadata.dat with a custom XOR (36‑byte key), decompresses it (gzip/zlib), and writes the payload to disk. This trick allows to hide static indicators until runtime. Fantasy Hub abuses the default SMS handler role to gain broad permissions (SMS, contacts, camera, files) in one step. The dropper poses as a Google Play update and checks for rooting to evade analysis. For spying, it uses WebRTC to stream camera/microphone feeds live to the C2 (after downloading required libs), showing a small “Live stream active” indicator while streaming.
Fantasy Hub pairs native droppers, WebRTC live streaming, and SMS-handler abuse with social engineering and fake app tactics, making it far more dangerous than classic overlay trojans, especially in BYOD and consumer contexts where app-store trust lulls users into a false sense of security.
“The rapid rise of Malware-as-a-Service (MaaS) operations like Fantasy Hub shows how easily attackers can weaponize legitimate Android components to achieve full device compromise. Unlike older banking trojans that rely solely on overlays, Fantasy Hub integrates native droppers, WebRTC-based live streaming, and abuse of the SMS handler role to exfiltrate data and impersonate legitimate apps in real time.” concludes the report. “This blend of social engineering and deep-system control makes it especially dangerous in BYOD and consumer-facing environments where app-store trust is assumed.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, MaaS)
Android
Cybercrime
Fantasy Hub
Hacking
hacking news
information security news
IT Information Security
MaaS
malware
malware-as-a-service
Pierluigi Paganini
RAT
Security Affairs
Security News
