- Four Android banking trojan campaigns target hundreds of finance and social apps
- Malware hides icons, blocks removal, and overlays fake banking login screens
- Live screen streaming lets attackers monitor activity and capture authentication steps
Security researchers have tracked four Android banking trojan campaigns that rely on deception, stealth, and disappearing app icons to stay hidden out of sight after installation.
Researchers at Zimperium say the campaigns, named RecruitRat, SaferRat, Astrinox, and Massiv, collectively targeted more than 800 banking, cryptocurrency, and social media apps.
The potential reach is vast because many commonly used apps have billions of downloads, although actual infections likely number in the millions rather than billions.
Article continues below
Increasingly complex installation techniques
The researchers note the attackers rely heavily on tricking users, rather than exploiting technical flaws alone. Victims are directed to fake websites disguised as job portals, streaming services, or software downloads that seem legitimate at first glance.
Some campaigns imitate recruitment platforms, pushing victims to download an app as part of a supposed hiring process, while others promise free access to premium streaming content. This leads users to sideload malicious software from unofficial sources.
Installation techniques have grown increasingly complex, with many attacks using multi-stage delivery methods that conceal the true malware payload inside another file.
One tactic involves mimicking official update screens, including layouts resembling the Google Play interface, to lower suspicion during installation.
Once active, the malware often requests Accessibility permissions, allowing it to monitor actions, read screen content, and grant itself additional privileges without clear user knowledge.
A particularly deceptive feature allows certain variants to replace their app icon with a blank image, effectively making the app “vanish” from the device’s app drawer, creating confusion when users attempt to locate or remove the software.
Other versions interfere directly with attempts to uninstall the malware by redirecting users away from system settings.
Screen overlays play a major role in credential theft across all four campaigns. Fake lock screens can capture PINs and patterns, while simulated banking login pages harvest credentials as users interact with legitimate apps.
Some variants even display full-screen “update” messages that prevent normal interaction while background actions take place.
Beyond stealing credentials, several families transmit live screen content to remote servers, creating a continuous visual feed that allows attackers to observe activity and intercept authentication steps in real time.
Encrypted communication channels connect infected devices to centralized command systems that coordinate attacks and distribute updated instructions.
These systems can manage thousands of compromised devices simultaneously, making widespread financial theft easier to organize.
Zimperium’s researchers say evolving evasion methods, including hidden payloads and structural file tampering, make detection harder for traditional security tools.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
You must be logged in to post a comment Login