Fantasy Hub is an Android Remote Access Trojan (RAT) distributed through a Malware-as-a-Service (MaaS) model on Russian-speaking Telegram channels. The malware is sold via a subscription system managed by a bot that allows buyers to customize the trojanized APK's icon and name, and upload any APK to embed the malicious payload. Once installed, Fantasy Hub abuses the default SMS handler role by prompting users to set it as the default SMS app, granting it extensive permissions in one step. This enables the malware to intercept, read, reply to, and delete SMS messages, including two-factor authentication codes, which is critical for bypassing mobile banking security. It also collects contacts, call logs, images, videos, and can stream camera and microphone feeds in real time using WebRTC technology. The malware uses fake overlays to phish banking credentials from Russian banks such as Alfa, PSB, T-Bank, and Sberbank. The command-and-control (C2) panel provides attackers with device status and subscription details, and allows issuing commands to exfiltrate data. The MaaS model lowers technical barriers for attackers by providing documentation, videos, and a bot-driven subscription and alert system. The malware masquerades as Google Play updates to gain user trust and permissions. Although no active exploits have been reported, the service's availability and features pose a direct threat to enterprises with BYOD policies and users of sensitive mobile apps. This threat exemplifies the evolution of Android malware from simple banking trojans to sophisticated espionage tools leveraging native OS components and real-time data streaming.

For European organizations, Fantasy Hub represents a significant risk, especially for enterprises with Bring Your Own Device (BYOD) policies and employees using mobile banking or sensitive applications on Android devices. The malware's ability to intercept SMS messages, including two-factor authentication codes, threatens the confidentiality and integrity of corporate and personal financial transactions. The real-time streaming of camera and microphone data compromises privacy and can lead to corporate espionage or leakage of sensitive information. The use of fake overlays to steal banking credentials increases the risk of financial fraud. Although primarily targeting Russian banks, the malware's capabilities can be adapted to target European financial institutions and enterprises. The MaaS model facilitates widespread distribution by lowering technical barriers, potentially increasing infection rates across Europe. The threat also complicates incident response due to its stealthy permission abuse and real-time data exfiltration. Overall, the malware could disrupt business operations, cause financial losses, and damage reputations if infections occur within European organizations.

European organizations should implement strict mobile device management (MDM) policies that restrict installation of apps from untrusted sources and enforce the use of official app stores. Deploy mobile threat defense (MTD) solutions capable of detecting malicious behaviors such as SMS handler abuse and overlay attacks. Educate employees about the risks of granting default SMS app privileges and the dangers of installing apps masquerading as system updates. Enforce multi-factor authentication methods that do not rely solely on SMS-based codes, such as hardware tokens or authenticator apps. Monitor network traffic for unusual WebRTC streams or connections to suspicious command-and-control servers. Regularly audit permissions granted to installed apps and revoke unnecessary default SMS handler status. Collaborate with financial institutions to recognize and respond to fraudulent transactions quickly. Finally, maintain up-to-date threat intelligence feeds to detect emerging MaaS offerings and adapt defenses accordingly.