Android hackers are actively targeting more than 800 applications across the banking, cryptocurrency, and social media sectors. Cybersecurity firm Zimperium reports four malware families are using sophisticated command-and-control infrastructure to steal credentials, conduct unauthorized financial transactions, and exfiltrate data.
These malware families, named RecruitRat, SaferRat, Astrinox, and Massiv, achieve near-zero detection rates against traditional security measures by employing advanced anti-analysis techniques and structural APK tampering. Attackers typically lure victims into installing malicious apps through phishing websites, fake job offers, fraudulent software updates, and text message scams.
Once installed, the malware can request critical Accessibility permissions, conceal its icon, prevent uninstallation, capture PINs and passwords via fake lock screens, steal one-time passcodes, stream device screens live, and overlay counterfeit login pages on legitimate financial applications. Overlay attacks, a key tactic, use Accessibility Services to detect when a victim opens a banking or crypto app, then display a convincing fake login page to harvest credentials.
Campaigns utilize HTTPS and WebSocket communications to disguise malicious traffic as normal app activity, with some variants adding further encryption to avoid detection.