Full Report
Cybersecurity researchers have disclosed details of a new Android remote access trojan (RAT) called Fantasy Hub that's sold on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model. According to its seller, the malware enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos, as well as intercept, reply,
Analysis Summary
# Tool/Technique: Fantasy Hub
## Overview
Fantasy Hub is a newly disclosed Android Remote Access Trojan (RAT) sold via a Malware-as-a-Service (MaaS) model on Russian-speaking Telegram channels. It is marketed to provide threat actors with comprehensive device control and espionage capabilities, posing a significant threat to organizations, particularly those utilizing BYOD policies or relying on mobile banking.
## Technical Details
- Type: Malware (Remote Access Trojan - RAT)
- Platform: Android
- Capabilities: Device control, SMS interception and manipulation, contact/call log exfiltration, media file (image/video) harvesting, notification interception/reply/deletion, real-time streaming (camera/mic), overlay attacks against banking applications.
- First Seen: Information not explicitly provided in the context, but disclosed around November 2025.
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on described capabilities.*
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied due to C2 panel and WebRTC usage)
- **TA0009 - Collection**
- T1005 - Data from Local System
- T1005.001 - Data from Communications (SMS, Contacts, Call Logs)
- T1119 - Automated Collection (Collection of files, images, videos)
- **TA0005 - Defense Evasion**
- T1561 - Screen Capture (Implied via device control/espionage features)
- **TA0003 - Persistence**
- T1641 - Abuse of Default Privileges (Abusing default SMS handler role)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (General data transfer)
## Functionality
### Core Capabilities
* **Data Theft:** Collection of SMS messages, contacts, and call logs.
* **File Exfiltration:** Harvesting images and videos from the device.
* **Notification Hijacking:** Intercepting, replying to, and deleting incoming notifications.
* **MaaS Model:** Utilizes a bot-driven subscription service ($200/week, $500/month, $4,500/year) managed via Telegram, lowering the entry barrier for novice attackers.
* **Builder Service:** Allows customers to upload APKs, which are then trojanized with the malicious payload using a custom icon/name/landing page selection.
### Advanced Features
* **SMS Handler Abuse:** Exploits the ability to become the default SMS handler application to gain sensitive permissions (SMS, contacts, camera, files) in one step, rather than requesting them individually at runtime.
* **Overlay Attacks:** Deploys fake overlays targeting Russian financial institutions (Alfa, PSB, T-Bank, Sberbank) to harvest banking credentials.
* **Real-Time Streaming:** Uses an open-source project leveraging **WebRTC** to stream camera and microphone content in real-time to the operator.
* **Distribution Support:** Provides customers with instructions on creating fake Google Play Store landing pages and bypassing platform restrictions.
* **Alert Routing:** Command and control (C2) configuration allows sellers to route general and high-priority alerts to separate Telegram chats based on chat ID and tokens.
## Indicators of Compromise
- File Hashes: Not provided in the context.
- File Names: Dropper apps were observed masquerading as a "Google Play update."
- Registry Keys: Not applicable (Android).
- Network Indicators: C2 panel capability exists for command issuance and subscription status monitoring. Network details were not specified (defanged placeholder: `c2[.]fantasyhub[.]com`).
- Behavioral Indicators: Prompting the user to set the malware as the default SMS handling application. Use of WebRTC for outbound streaming. Creation of fake application landing pages.
## Associated Threat Actors
* Threat actors operating on Russian-speaking Telegram channels, sometimes referred to as users targeting victims called "[mammoths]".
* Analyst notes suggest the architecture closely mirrors that of the **HyperRat** Android RAT.
## Detection Methods
- Signature-based detection: Analysis required based on specific payload signatures once identified.
- Behavioral detection: Monitoring for requests to set the application as the default SMS handler. Detecting attempts to initiate WebRTC streams or persistent overlays targeting banking login screens.
- YARA rules: Not provided in the context.
## Mitigation Strategies
* **User Education:** Cautioning users against granting default SMS handler permissions to non-standard applications.
* **Application Vetting:** Strict security review for enterprise devices, especially concerning BYOD usage involving sensitive financial applications.
* **Restriction Bypasses:** Employing Mobile Device Management (MDM) to restrict installation of applications from outside official application stores or blocking system permission grants aggressively.
* **Overlay Defense:** Utilizing accessibility services monitoring or security solutions capable of detecting fraudulent overlays over legitimate banking apps.
## Related Tools/Techniques
* **HyperRat:** Noted for having a closely mirrored command-and-control or builder architecture structure.
* **ClayRAT:** Shares the technique of abusing default SMS privileges for permission escalation.
* Other Android RATs/Banking Trojans leveraging MaaS models on Telegram (e.g., Anatsa, Void).