Four new Android malware variants targeting over 800 banking apps have been discovered.

A new study from the US security technology company Zimperium has revealed a worrying picture of security on Android devices, discovering four large-scale malware campaigns, including RecruitRat, SaferRat, Astrinox, and Massiv.

According to the zLabs cybersecurity research group, part of Zimperium, these threats are directly targeting more than 800 banking and cryptocurrency wallet applications globally, with the potential for high-level personal data theft.

Four malware variants with sophisticated phishing tactics.

Experts say that each malware family uses a different infection method, but they all revolve around common phishing techniques such as phishing through fake websites and smishing via SMS messages.

SaferRat exploits user psychology by creating fake websites that promise free access to premium streaming services. These sites are designed to look exactly like the real ones, making it easy for victims to enter their login information without suspicion.

Meanwhile, RecruitRat targets job seekers. Hackers create fake recruitment websites, then ask users to download an APK file disguised as a job application. Once installed, the malware begins operating stealthily.

Astrinox took a different approach, impersonating a business tool called HireX and distributing it through a separate website. Notably, although traces of this campaign had previously appeared on the App Store, researchers confirmed that it is now only targeting Android devices.

Massiv, in particular, is the most mysterious case. This malware is so cleverly concealed that experts have been unable to determine its initial method of distribution, demonstrating its dangerous nature and difficulty in detection.

Overlay attacks – sophisticated methods of information theft.

After infiltrating the device, the malware quickly deploys an overlay technique, a common but extremely effective form of attack. When the user opens a banking or e-wallet application, a fake interface layer appears on top of the real application.

The danger is that this interface looks exactly like the original. When users enter login information or PINs, this data is sent directly to hackers instead of the official system.

Furthermore, malware exploits Accessibility Services, a feature designed to assist people with disabilities, to gain deep control over the device. They can display fake screens such as "system updating" or "app frozen" to distract users while secretly collecting data.

Steal OTP codes and track all activity.

One of the most concerning aspects is its ability to bypass common security measures such as OTP codes. Experts have discovered that these malware programs can intercept and read SMS messages in real time, thereby stealing two-factor authentication codes, which are considered a crucial layer of protection.

In particular, RecruitRat is considered more dangerous because it includes a library of over 700 fake login interfaces. When it detects a user opening a target application, it automatically displays the corresponding interface to deceive them.

Furthermore, these malware programs use keylogging techniques to record every touch on the screen. This allows hackers to collect all login credentials, message content, and even other sensitive data.

They maintain a constant connection to the command and control server via WebSockets, allowing hackers to monitor the device in real time and launch attacks at the most opportune moment.

Increased risk of fraud and security recommendations.

The simultaneous emergence of multiple malware families with increasingly sophisticated techniques shows that the Android ecosystem is becoming an attractive target for cybercriminals, especially in the financial and cryptocurrency sectors.

According to experts, users need to be especially wary of links sent via email or text message, particularly those that are urgent or unusually appealing. Downloading applications from unofficial sources, especially APK files, is one of the main causes of infection.

In addition, users should:

- Only install apps from the Google Play store or trusted sources.

- Carefully check access permissions, especially Accessibility permissions.

- Do not enter login information if there are any unusual signs.

- Use reputable mobile security solutions.

In the context of increasingly sophisticated attacks, raising awareness and promoting safe usage habits remains the most effective "shield" for protecting personal data.