Zimperium has announced new findings from its zLabs threat research team identifying four active Android banking trojan campaigns—RecruitRat, SaferRat, Astrinox, and Massiv—collectively targeting more than 800 banking, cryptocurrency, and social media applications worldwide.
The research highlights how these malware families are evolving beyond basic credential theft, using sophisticated phishing infrastructure, deceptive overlays, Accessibility abuse, screen capture, and anti-analysis techniques to evade detection and facilitate account takeover and financial fraud.
According to the research, the four campaigns leverage robust command-and-control (C2) frameworks and multi-stage infection chains to gain persistence on infected devices, intercept SMS-based one-time passwords, harvest device credentials and exfiltrate sensitive data in real time.
zLabs also found these malware families are often able to maintain near-zero detection rates against traditional, signature-based mobile security tools by employing advanced APK tampering, encrypted payloads, dynamic code loading, and environment-aware execution.
“As cybercriminals adopt a mobile-first attack strategy, Android banking trojans are becoming more evasive and effective,” said Krishna Vishnubhotla, VP of Product Strategy at Zimperium. “These campaigns go beyond credential theft, taking over the device itself to bypass security controls and enable fraud—highlighting the need for dedicated mobile security.”
Among the key findings, zLabs observed:
- Four active Android banking trojan families with distinct infection chains and malware behaviors
- More than 800 targeted applications across banking, crypto, and social media sectors
- Delivery tactics including phishing websites, fake job recruitment lures, deceptive streaming offers, and smishing campaigns
- Abuse of Accessibility Services, MediaProjection, overlays, and Session Installation APIs to gain persistence and evade detection
- Capabilities including keylogging, screen capture, credential theft, SMS interception, device reconnaissance, and phishing overlay injection
The report also shows how attackers are increasingly abusing legitimate Android services and trusted user experiences to disguise malicious activity. In several cases, trojans masqueraded as system updates, employment-related applications, or streaming services in order to trick victims into installing malicious APKs.
Once active, the malware could dynamically identify installed banking and crypto apps, deploy convincing phishing overlays, and capture credentials, PINs, and one-time authentication codes.
For enterprises, the threat extends well beyond consumer banking fraud. Compromised mobile devices used by employees can provide threat actors with a path to intercept authentication, hijack sessions, and gain unauthorised access to sensitive corporate resources. This makes mobile malware not only a fraud risk, but also a serious enterprise security concern.
To read more Zimperium news, click here.
