New RecruitRat, SaferRat, Astrinox, Massiv Android Malware Found Targeting 800 Apps
Four Android malware campaigns targeting 800+ banking and crypto apps discovered.
Summary
Zimperium researchers identified four active Android malware families—RecruitRat, SaferRat, Astrinox, and Massiv—deployed across coordinated phishing and smishing campaigns targeting over 800 banking and cryptocurrency applications globally. The malware uses overlay attacks, accessibility service abuse, OTP interception, and keylogging to steal credentials and sensitive data. Researchers recommend users download apps only from official platforms and avoid clicking links in unsolicited text messages.
Full text
Security Android Malware Scams and FraudNew RecruitRat, SaferRat, Astrinox, Massiv Android Malware Found Targeting 800 Apps New research from Zimperium reveals four active Android malware campaigns, RecruitRat, SaferRat, Astrinox, and Massiv, targeting over 800 banking apps globally. byDeeba AhmedApril 17, 20262 minute read Cybersecurity Researchers from Zimperium zLabs have shared details on four new Android malware families currently being used in four different campaigns targeting Android banking and crypto apps. These are capable of stealing private data from more than 800 apps, according to Zimperium’s report shared with Hackread.com. Meet the Four Families The zLabs team has been busy tracking these threats, which they’ve named RecruitRat, SaferRat, Astrinox, and Massiv. Each one uses a different trick to lure users into downloading the malware, with the most common methods being phishing and smishing. Phishing involves fake websites that look exactly like real login pages for banks or popular services. For example, the SaferRat campaign uses websites that promise free access to premium video streaming services to lure victims in. Fake websites used to lure users (Source: Zimperium) In Smishing, urgent text messages are used claiming there is a problem with your account, with a link that downloads the malicious payload after clicking. RecruitRat campaign uses fake job-seeking sites and targets employment seekers, making them download an APK file that looks like a job application. Then there is Astrinox, which mimics a business tool called HireX on the site xhirecc. While researchers found a fake Apple App Store page for this one, they noted that the actual malicious payloads are currently only targeting Android users. The final group, Massiv, is a mystery; though, it is so well-hidden that researchers couldn’t find any clear sign of how it spreads. The Blindfold Trick Once these apps infect a phone, they quickly launch an Overlay attack. This involves a fake screen that pops up right when you open a real app, like your bank or a crypto wallet. If you type your password, you aren’t giving it to the bank but to the hackers. Fake overlays (Source: Zimperium) To prevent raising suspicion, Zimperium’s report found that the malware uses a blindfold. By abusing Accessibility Service permissions, it can put a non-moving image over your screen. So, you get to see a frozen page or a fake Android Update screen, while the hackers work in the background, seeing your contacts, reading your SMS messages, and even recording your screen using the MediaProjection framework. Bypassing Your Security One of the most dangerous parts of these attacks is how they handle security codes. We always feel safe because of one-time passwords (OTPs) sent via text, but these programs can intercept those texts in real-time. Researchers noted that RecruitRat even has a library of over 700 fake login pages stored inside it, activating the moment you open a targeted app. These threat actors are also using Keylogging to track every single tap you make. By using a constant link through WebSockets, they stay connected to your device, waiting for the perfect moment to strike. Experts suggest avoiding clicking links in urgent texts and downloading apps only from the official platforms. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AndroidAstrinoxCybersecurityMalwareMassivRecruitRatSaferRatScamZimperium Leave a Reply Cancel reply View Comments (0) Related Posts Censorship Cyber Events News Privacy Security Surveillance Curious Case of M. Yousefi: How Iran Traps its Facebook users with “Black Spider” Program A 27-year-old graduate student Mohammad Yousefi, was sent to prison in Iran as part of a crackdown on social… byWaqas Security Cyber Attacks Mainstream European bank hit by largest ever PPS based DDoS attack The DDoS attack on the bank was recorded in packets-per-second (Pps) and... byWaqas Read More News Privacy Security Alleged Insider Access to Telegram Servers Sold on the Dark Web The alleged access is being sold for a whopping $20,000. byWaqas Security Vulnerability in Web Codes causes Data Dumping onto Personal Computers Caution: Weakness of Web Codes causes Data Dumping onto Personal Computers A web developer has revealed that by… byWaqas
Indicators of Compromise
- malware — RecruitRat
- malware — SaferRat
- malware — Astrinox
- malware — Massiv