- Four Android banking Trojan campaigns target hundreds of financial and social apps
- Malware hides icons, blocks removal and overlays fake bank login screens
- Live screen streaming allows attackers to monitor activity and capture authentication steps
Security researchers have tracked four Android banking Trojan campaigns that rely on deception, stealth and disappearing app icons to remain hidden from view after installation.
Researchers at Zimperium say the campaigns, called RecruitRat, SaferRat, Astrinox and Massiv, collectively targeted more than 800 banking, cryptocurrency and social media apps.
The potential reach is huge because many commonly used apps have billions of downloads, although actual infections likely number in the millions rather than billions.
The article continues below
Increasingly complex installation techniques
The researchers note that the attackers rely heavily on tricking users rather than solely exploiting technical flaws. Victims are directed to fake websites disguised as job portals, streaming services or software downloads that appear legitimate at first glance.
Some campaigns impersonate recruitment platforms and push victims to download an app as part of a supposed hiring process, while others promise free access to premium streaming content. This causes users to sideload malicious software from unofficial sources.
Installation techniques have become increasingly complex, with many attacks using multi-stage delivery methods that hide the true malware payload inside another file.
One tactic involves mimicking official update screens, including layouts similar to the Google Play interface, to reduce suspicion during installation.
Once active, the malware often requests accessibility permissions so it can monitor actions, read screen content, and grant itself additional privileges without clear user knowledge.
A particularly deceptive feature allows certain variants to replace their app icon with a blank image, effectively causing the app to “disappear” from the device’s app drawer, creating confusion when users try to locate or remove the software.
Other versions interfere with direct attempts to uninstall the malware by redirecting users away from system settings.
Screen overlays play a major role in credential theft across all four campaigns. Fake lock screens can capture PINs and patterns, while simulated bank login pages harvest credentials when users interact with legitimate apps.
Some variants even display full-screen “update” notifications, preventing normal interaction while background actions take place.
In addition to stealing credentials, multiple families transmit live screen content to remote servers, creating a continuous visual feed that allows attackers to observe activity and intercept authentication steps in real time.
Encrypted communication channels connect infected devices to centralized command systems that coordinate attacks and distribute updated instructions.
These systems can handle thousands of compromised devices simultaneously, making large-scale financial theft easier to organize.
Zimperium researchers say evolving evasion methods, including hidden payloads and structural file manipulation, are making detection more difficult for traditional security tools.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
