Key Findings

• Four new Android malware families identified by Zimperium zLabs: RecruitRat, SaferRat, Astrinox, and Massiv

• Campaigns actively targeting over 800 banking and cryptocurrency applications

• Malware employs overlay attacks to steal credentials and sensitive data

• Capable of intercepting one-time passwords and recording screen activity

• Distribution methods include phishing, smishing, and fake job recruitment sites

Background

Zimperium zLabs cybersecurity researchers have been tracking four distinct Android malware campaigns operating simultaneously across different targeting strategies. Each family has been carefully designed to exploit specific user behaviors and trust vulnerabilities. The malware represents a significant threat to financial institutions and cryptocurrency users, as the attackers have developed sophisticated techniques to bypass security measures that users typically rely on.

Distribution Methods

The four malware families use different social engineering tactics tailored to their targets. RecruitRat focuses on job seekers by creating fake employment websites where users download what appears to be a job application APK file. SaferRat lures victims through websites promising free access to premium video streaming services. Astrinox impersonates HireX, a legitimate business tool, and was discovered on a fake Apple App Store page, though current attacks only target Android devices. Massiv remains mysterious, with researchers unable to identify clear distribution channels, suggesting the threat actors have invested significant effort in keeping this campaign hidden.

Overlay Attack Mechanism

Once installed, all four malware families deploy overlay attacks that create fake login screens appearing directly over legitimate banking and cryptocurrency applications. When victims enter their credentials thinking they're logging into their actual bank or crypto wallet, they're actually providing information directly to the attackers. The malware abuses Accessibility Service permissions to freeze the actual screen content, displaying either a frozen page or a fake Android update screen. This blindfold technique keeps users unaware that malicious activity is occurring in the background while the attackers harvest contacts, read SMS messages, and record screen activity using the MediaProjection framework.

Security Bypass Capabilities

These malware families have developed advanced methods to defeat standard security protections. They can intercept one-time passwords sent via text message in real-time, rendering OTP-based security largely ineffective. RecruitRat particularly demonstrates sophistication by storing over 700 pre-built fake login pages within the malware itself, which activate instantly when users open targeted applications. All four families employ keylogging functionality to capture every tap on the device. They maintain constant connections to attacker infrastructure through WebSocket links, allowing threat actors to monitor activity and strike at optimal moments when sensitive information is being entered.

User Protection Recommendations

Security experts advise users to avoid clicking links in unsolicited text messages claiming account problems or urgent action requirements. Applications should only be downloaded from official app stores rather than from links in messages or emails. Users should remain suspicious of job recruitment sites and verify the legitimacy of employers before downloading any application files. For organizations, the discovery of these campaigns underscores the importance of monitoring employee devices and implementing robust mobile device management solutions.

Sources

• https://hackread.com/recruitrat-saferrat-astrinox-massiv-android-malware/

• https://www.scworld.com/brief/4-new-android-malware-families-target-800-apps

• https://www.livethreat.ai/intelligence/new-recruitrat-saferrat-astrinox-massiv-android-malware-found-targeting-800-apps-16083

• https://x.com/HackRead/status/2045213322484543695