Surge in Android Banking Trojans: Four Campaigns Identified

Surge in Android Banking Trojans: Four Campaigns Identified

First seen 16 Apr 2026, 16:02 UTC Zimperiumattack.mitre.orgScworldYellowCryptopolitan+56 85% similarity 69.5

Article Content

Browse articles
ThreatCluster

Zimperium's zLabs has reported a significant increase in Android Banking Trojan activity, identifying four distinct campaigns: RecruitRat, SaferRat, Astrinox, and Massiv. These campaigns utilize advanced Command-and-Control (C2) frameworks to steal credentials, execute unauthorized financial transactions, and exfiltrate data from over 800 applications in banking, cryptocurrency, and social media sectors. The trojans employ sophisticated anti-analysis techniques and APK tampering, achieving near-zero detection rates against traditional security measures. Attackers exploit human psychology through deceptive tactics, such as fake system updates and enticing offers, to gain initial access. The malware's distribution methods vary, with SaferRat using phishing websites for fake streaming services and RecruitRat masquerading as legitimate job opportunities. The threat landscape for mobile banking has evolved, necessitating heightened vigilance from users and security professionals alike.

Key Points: • Four active Android Banking Trojan campaigns identified: RecruitRat, SaferRat, Astrinox, and Massiv. • These campaigns target over 800 applications across banking, cryptocurrency, and social media. • Sophisticated social engineering tactics are used to lure victims into downloading malicious APKs.

ThreatCluster AI

Timeline

2026-04-16
Zimperium reports surge in Android Banking Trojan activity
2026-04-16
Four campaigns identified: RecruitRat, SaferRat, Astrinox, Massiv
Recent
Ongoing research into distribution methods and infection vectors

Community

Browse all →