The spyware offers a full suite of espionage and device-control features, including SMS, contact, and call-log theft; live audio/video streaming; and fake banking windows designed to steal credentials.

Unlike isolated malware kits, Fantasy Hub is a turnkey service complete with seller documentation, how-to videos, and a Telegram-based subscription bot. Buyers receive detailed instructions for creating counterfeit Google Play pages, app icons, and names to impersonate legitimate apps, including cloned pages of popular services such as Telegram, to trick users into installing the dropper.

Zimperium shares some of the key findings from the research:

• Subscription-based model: Lowers the barrier to entry with documentation, bot management, and automated build options.

• Financial targeting: Used to impersonate banks including Alfa, PSB, Tbank, and Sber to steal mobile banking credentials.

• Abuse of SMS privileges: Exploits Android’s default SMS handler role to intercept two-factor messages and forward content without user awareness.

• Evasion tactics: Disguised as a Google Play update, the malware checks device environments to avoid analysis and detection.

Fantasy Hub’s MaaS framework highlights how sophisticated mobile spyware is being commoditised. With built-in instructions and automation, even inexperienced attackers can deploy advanced campaigns targeting financial workflows and enterprise BYOD environments.

“Fantasy Hub shows how professionalised seller support is turning complex spyware into accessible services,” said Vishnu Pratapagiri, Zlabs researcher. “Organisations must assume even legitimate-looking apps could hide malicious droppers capable of intercepting authentication and sensitive data.”