A new Android remote access trojan, Fantasy Hub, is being sold as a subscription service, significantly lowering the barrier for cybercriminals to conduct sophisticated espionage and credential theft.
Fantasy Hub converts any legitimate application on an Android device into spyware. It can intercept SMS messages and stream live audio and video from an infected device in real time.
The malware is primarily distributed through Russian-speaking Telegram channels. It operates under a Malware-as-a-Service (MaaS) model, enabling individuals without advanced technical skills to deploy it.
Access to Fantasy Hub costs USD $200 per week, USD $500 per month, or USD $4,500 annually, depending on the chosen subscription plan.
Once installed, often disguised as a Google Play Store update, Fantasy Hub requests to become the default SMS application. This critical permission allows it to steal two-factor authentication (2FA) messages.
It also gains unauthorized access to contacts, call logs, images, and videos. The malware activates the device’s camera and microphone in real time using WebRTC technology.
Its command-and-control (C2) panel provides attackers with a list of compromised devices and subscription statuses. This allows them to issue specific commands to gather data. The vendor claims users can upload any Android application package (APK) file to receive a “trojanized” version embedded with the malicious software.
This malware poses a substantial threat to mobile banking users. Identified attack layers include fake Google Play updates and deceptive overlays designed to capture credentials for Russian financial institutions like Alfa-Bank, PSB Bank, T-Bank, and Sberbank.
Vishnu Pratapagiri, a researcher with the firm Zimperium, warned that this malware directly endangers companies. This includes those that permit employees to use personal devices (BYOD) or handle sensitive banking or information management applications on mobile phones.
The emergence of Fantasy Hub coincides with a continuous increase in malicious applications targeting the Android ecosystem. Reports indicate that banking trojan attacks have risen by approximately 67% year-over-year.
Between June 2024 and May 2025, 239 malicious apps were identified on the Google Play Store, accumulating an estimated 42 million downloads. Separately, another malware known as NGate has been detected in Poland, stealing bank card information via NFC attacks on Android devices.
The MaaS model significantly lowers technical barriers for criminals. For a subscription fee, they receive a fully functional platform, malware builder, ongoing support, and updates. This empowers attackers with limited technical experience to launch sophisticated espionage or credential theft campaigns.
To mitigate risks, Android users should disable installations from unofficial sources. They should also carefully review permissions requested by any updates and avoid setting unknown applications as the default SMS application.
Businesses should implement robust mobile device management policies. They should also conduct app behavior analysis and educate employees about advanced spyware like Fantasy Hub.
Early detection of anomalous behaviors is critical. These include background camera or microphone streaming, unexpected requests for critical permissions, or outgoing connections to unknown destinations. Defense systems are also advised. These should include filtering for malicious applications, mobile sandboxes, and network activity monitoring.
Fantasy Hub exemplifies how digital crime is evolving toward more accessible, powerful, and mobile-targeted services. The combination of a software-as-a-service model with social engineering and remote control makes the Android ecosystem an increasingly strategic target. The industry, including private sector companies, regulators, and security agencies, must accelerate its response to these evolving threats.