- Four Android banking Trojan campaigns target hundreds of financial and social apps
- Malware hides icons, blocks deletion and overlays fake banking login screens
- Live screen streaming allows attackers to monitor activity and capture authentication steps.
Security researchers have tracked four Android banking Trojan campaigns that rely on deception, stealth, and disappearing app icons to remain hidden after installation.
Zimperium researchers say the campaigns, named RecruitRat, SaferRat, Astrinox and Massiv, collectively targeted more than 800 banking, cryptocurrency and social media apps.
The potential scope is vast because many commonly used apps have billions of downloads, although actual infections are likely in the millions rather than billions.
Article continues below
Increasingly complex installation techniques
The researchers note that attackers rely largely on deceiving users, rather than exploiting technical flaws alone. Victims are directed to fake websites disguised as job portals, streaming services, or software downloads that appear legitimate at first glance.
Some campaigns mimic recruitment platforms, tricking victims into downloading an app as part of a purported hiring process, while others promise free access to premium streaming content. This leads users to download malware from unofficial sources.
Installation techniques have become increasingly complex, with many attacks using multi-stage delivery methods that hide the true malware payload in another file.
One tactic is to mimic official update screens, including layouts resembling the Google Play interface, to reduce suspicion during installation.
Once active, the malware often requests accessibility permissions, allowing it to monitor actions, read screen content, and grant itself additional privileges without the user being clearly informed.
One particularly deceptive feature allows some variants to replace their app icon with a blank image, thereby causing the app to “disappear” from the device’s app drawer, creating confusion when users attempt to locate or remove the software.
Other versions directly interfere with attempts to uninstall the malware by redirecting users away from system settings.
Screen overlays play a major role in credential theft in all four campaigns. Fake lock screens can capture PINs and patterns, while simulated banking login pages collect credentials when users interact with legitimate apps.
Some variants even display full-screen “update” messages that prevent normal interactions while background actions take place.
Beyond credential theft, several families transmit live screen content to remote servers, creating a continuous visual stream that allows attackers to observe activity and intercept authentication steps in real time.
Encrypted communication channels connect infected devices to centralized control systems that coordinate attacks and distribute updated instructions.
These systems can manage thousands of compromised devices simultaneously, making it easier to organize widespread financial theft.
Zimperium researchers say evolving evasion methods, including hidden payloads and structural file tampering, are making detection more difficult for traditional security tools.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
