Ethical Hacking News
Fantasy Hub, a Russian-sold Android RAT, has been discovered to offer advanced spyware capabilities via Telegram. This MaaS product allows attackers to access infected devices remotely, steal sensitive information, and control devices. As the threat landscape continues to evolve, it's essential to stay informed about emerging malware like Fantasy Hub and take necessary precautions to protect our digital lives.
Fantasy Hub is a MaaS (Malware-as-a-Service) product that allows attackers to spy, steal data, and control Android devices. The malware was discovered in the wild, targeting banks and other financial institutions, and using social engineering tactics to steal sensitive information. Fantasy Hub integrates native droppers, WebRTC-based live streaming, and SMS-handler abuse into a single package, allowing attackers to pose as legitimate apps and gain broad permissions. The malware provides detailed information about subscription time, device status, and user ID, enabling remote operation and monitoring of compromised devices using Telegram integration. Fantasy Hub allows operators to take over infected devices, gathering SMS messages, contacts, call logs, images, and videos, as well as intercepting and deleting notifications.
Fantasy Hub is a malicious Android software that has recently gained attention for its capabilities to spy, steal data, and control devices. As revealed by Zimperium researchers, Fantasy Hub is a MaaS (Malware-as-a-Service) product offered as an Android RAT (Remote Access Trojan), allowing attackers to access infected devices remotely.
The malware was discovered in the wild, with attackers using it to target banks and other financial institutions. By displaying counterfeit login windows for popular banking apps such as Alfa, PSB, Tbank, and Sber, attackers aimed to steal sensitive information from unsuspecting victims. The use of Fantasy Hub highlights the growing threat of MaaS operations, which can easily weaponize legitimate Android components to achieve full device compromise.
One of the most striking features of Fantasy Hub is its ability to integrate native droppers, WebRTC-based live streaming, and SMS-handler abuse into a single package. This allows attackers to pose as legitimate apps and gain broad permissions in one step. The malware also uses social engineering tactics to create fake app pages and evade detection.
The Command & Control panel of the Fantasy Hub provides detailed information about subscription time, device online/offline status, brand/model, last update, user ID, and SIM slot info. This allows buyers to remotely operate and monitor compromised devices using the Telegram integration, which includes bots, chat IDs, tokens, and more.
Further analysis of the malware revealed that it uses a native dropper inside a metamask_loader library to decrypt an embedded metadata.dat with a custom XOR (36-byte key). The dropper then decompresses it (gzip/zlib) and writes the payload to disk, allowing the malware to hide static indicators until runtime. This trick enables attackers to remain undetected.
In terms of its capabilities, Fantasy Hub allows operators to take over infected devices, gathering SMS messages, contacts, call logs, images, and videos. The malicious code also allows attackers to intercept, reply, and delete incoming notifications, among other features.
The creators of Fantasy Hub have advertised the spyware's capabilities online, linking to a bot that manages paid subscriptions and builder access, plus step-by-step guides (and a video) to create fake Google Play pages and evade detection. This level of documentation highlights the sophistication of the attackers and the ease with which they can operate their malware.
The rise of MaaS operations like Fantasy Hub demonstrates how easily attackers can weaponize legitimate Android components to achieve full device compromise. Unlike older banking trojans that relied solely on overlays, Fantasy Hub integrates native droppers, WebRTC-based live streaming, and abuse of the SMS handler role to exfiltrate data and impersonate legitimate apps in real-time.
In BYOD (Bring Your Own Device) and consumer-facing environments where app-store trust is assumed, this blend of social engineering and deep-system control makes Fantasy Hub especially dangerous. As such, it serves as a stark reminder of the ongoing threat landscape and the need for increased awareness and security measures to protect our devices and data.
Related Information:
https://www.ethicalhackingnews.com/articles/Fantasy-Hub-The-Russian-Sold-Android-Malware-Thats-Spying-on-Devices-Via-Telegram-ehn.shtml
https://securityaffairs.com/184488/malware/fantasy-hub-russian-sold-android-rat-boasts-full-device-espionage-as-maas.html
https://thehackernews.com/2025/11/android-trojan-fantasy-hub-malware.html
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:HTML/Phish.PSB!MTB
https://www.bleepingcomputer.com/news/security/heres-a-list-of-29-different-types-of-usb-attacks/
https://heimdalsecurity.com/blog/banking-malware-trojans/
https://www.forbes.com/sites/daveywinder/2025/03/07/26-million-devices-hit-by-infostealers-bank-cards-leaked-to-dark-web/
Published: Tue Nov 11 09:34:10 2025 by llama3.2 3B Q4_K_M
