Android trojans steal logins from crypto and bank apps

Zimperium’s zLabs team reported four Android trojan families delivered via sideloaded APKs are targeting more than 800 apps, including cryptocurrency wallets and banking apps. The malware families are tracked as RecruitRat, SaferRat, Astrinox and Massiv and use separate command-and-control networks to steal login credentials, one-time passcodes and live screen data.

The trojans use overlay attacks that place fake login screens or HTML pages over legitimate apps to capture credentials and other inputs in real time. Campaigns rely on phishing pages, SMS scams and social engineering to convince users to install APKs from outside the Google Play Store.

Each campaign uses different lures. SaferRat spread through fake sites promising free premium streaming. RecruitRat and Astrinox used recruitment and job-application themed phishing pages that directed targets to download malicious APK files. Astrinox used the domain xhire[.]cc and showed different content depending on the device; researchers found no evidence that iOS devices were infected. Zimperium could not confirm Massiv’s distribution method during the research period.

Once installed, the trojans capture passwords and one-time passcodes, stream the device screen to attackers, hide their app icons and block uninstall attempts. The malware monitors which app is in the foreground and injects overlays timed to match real app activity.

Zimperium’s zLabs researchers wrote, “Using Accessibility Services to monitor the foreground, the malware detects the exact moment a victim launches a financial application.”

The report documents anti-analysis techniques and structural tampering of APK files that result in low detection rates against signature-based security tools. Network communications are mixed with normal traffic over HTTPS and WebSocket channels, and some samples add extra encryption layers.

The trojans use multi-stage installation processes intended to work around Android’s evolving permission model. Zimperium did not identify specific crypto wallets or exchanges among the more than 800 targeted apps.

Zimperium’s report advises obtaining apps only from official stores and avoiding unsolicited download prompts and links that urge quick action. The findings show sideloading from links in messages, job postings or promotional websites remains a primary vector for mobile malware.