{"id":45532,"date":"2026-04-18T10:18:35","date_gmt":"2026-04-18T02:18:35","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/18\/new-recruitrat-saferrat-astrinox-massiv-android-malware-found-targeting-800-apps\/"},"modified":"2026-04-18T10:18:35","modified_gmt":"2026-04-18T02:18:35","slug":"new-recruitrat-saferrat-astrinox-massiv-android-malware-found-targeting-800-apps","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/18\/new-recruitrat-saferrat-astrinox-massiv-android-malware-found-targeting-800-apps\/","title":{"rendered":"New RecruitRat, SaferRat, Astrinox, Massiv Android Malware Found Targeting 800 Apps"},"content":{"rendered":"\n

Cybersecurity Researchers from Zimperium zLabs have shared details on four new Android malware families currently being used in four different campaigns targeting Android banking and crypto apps. These are capable of stealing private data from more than 800 apps, according to Zimperium\u2019s report shared with Hackread.com.<\/p>\n

Meet the Four Families<\/strong><\/h3>\n

The zLabs team has been busy tracking these threats, which they\u2019ve named RecruitRat, SaferRat, Astrinox, and Massiv. Each one uses a different trick to lure users into downloading the malware, with the most common methods being phishing and smishing. <\/p>\n

Phishing involves fake websites that look exactly like real login pages for banks or popular services. For example, the SaferRat campaign uses websites that promise free access to premium video streaming services to lure victims in.<\/p>\n

\n
\"New<\/a>
Fake websites used to lure users (Source: Zimperium)<\/figcaption><\/figure>\n<\/p><\/div>\n

In Smishing, urgent text messages are used claiming there is a problem with your account, with a link that downloads the malicious payload after clicking. RecruitRat campaign uses fake job-seeking sites and targets employment seekers, making them download an APK<\/a> file that looks like a job application.<\/p>\n

Then there is Astrinox, which mimics a business tool called HireX on the site xhirecc<\/code>. While researchers found a fake Apple App Store<\/a> page for this one, they noted that the actual malicious payloads are currently only targeting Android users. The final group, Massiv, is a mystery; though, it is so well-hidden that researchers couldn\u2019t find any clear sign of how it spreads.<\/p>\n

The Blindfold Trick<\/strong><\/h3>\n

Once these apps infect a phone, they quickly launch an Overlay attack. This involves a fake screen that pops up right when you open a real app, like your bank or a crypto wallet. If you type your password, you aren’t giving it to the bank but to the hackers.<\/p>\n

\n
\"New<\/a>
Fake overlays (Source: Zimperium)<\/figcaption><\/figure>\n<\/p><\/div>\n

To prevent raising suspicion, Zimperium\u2019s report<\/a> found that the malware uses a blindfold. By abusing Accessibility Service permissions, it can put a non-moving image over your screen. So, you get to see a frozen page or a fake Android Update screen, while the hackers work in the background, seeing your contacts, reading your SMS messages, and even recording your screen using the MediaProjection framework.<\/p>\n

Bypassing Your Security<\/strong><\/h3>\n

One of the most dangerous parts of these attacks is how they handle security codes. We always feel safe because of one-time passwords (OTPs) sent via text, but these programs can intercept those texts in real-time.<\/p>\n