New trojan campaigns attack hundreds of crypto wallets and banking apps

Cybersecurity researchers have identified four active families of Android malware that are currently targeting more than 800 applications, including cryptocurrency wallets and banking platforms. These malware strains, known as RecruitRat, SaferRat, Astrinox and Massiv, are designed to evade traditional security systems, posing a significant risk to users who manage financial assets on mobile devices. The findings were released by Zimperiums zLabs team, which has been tracking these threats and their evolving capabilities.

Each malware family operates through its own command-and-control infrastructure, enabling attackers to steal login credentials, intercept financial transactions and extract sensitive user data from infected devices. Once installed, the malware can overlay fake login screens on top of legitimate applications, capturing passwords and private information in real time. Researchers noted that these malicious interfaces are highly convincing, often using deceptive HTML overlays that closely mimic genuine app environments. By leveraging Androids Accessibility Services, the malware can detect when a user opens a financial application and immediately trigger the attack.

Beyond credential theft, these trojans have advanced capabilities that further increase their impact. They can intercept one-time passcodes, stream a device‘s screen to remote attackers, conceal their own presence by hiding app icons and prevent users from uninstalling them. The distribution methods vary across campaigns, with each malware family using different tactics to lure victims. SaferRat has been spread through fake websites offering free access to premium streaming services, while RecruitRat has been embedded in fraudulent job application processes that direct users to download malicious APK files. Astrinox has used similar recruitment-based tactics through domains such as xhire[.]cc, delivering different content depending on the user’s device. Although iOS users may encounter pages that resemble the Apple App Store, there is currently no evidence of successful iOS compromise. The distribution method for Massiv remains unclear, but all four families rely heavily on phishing techniques, text message campaigns and social engineering strategies that exploit urgency and curiosity.

One of the most concerning aspects of these malware campaigns is their ability to bypass detection. Researchers found that they employ advanced anti-analysis techniques and manipulate Android application package structures to achieve near-zero detection rates against traditional signature-based security tools. Their network communications are also designed to blend in with normal traffic, using encrypted HTTPS and WebSocket connections, sometimes with additional layers of encryption. Furthermore, these threats use multi-stage installation processes to circumvent Androids evolving permission controls, allowing them to maintain persistence on infected devices.

Although the report does not specify which cryptocurrency wallets or exchanges are directly targeted, the nature of overlay attacks, passcode interception and screen monitoring means that any Android-based financial application could be vulnerable if users install software from untrusted sources. The primary risk arises when users download applications from links received through text messages, job postings or promotional websites, rather than from official app stores.

As mobile-based financial activity continues to grow, this development highlights the importance of maintaining strict security practices. Users managing cryptocurrency or banking activities on Android devices are strongly advised to download applications only from verified platforms and remain cautious of unsolicited prompts to install software. Vigilance in app sourcing and awareness of emerging threats remain essential in protecting digital assets in an increasingly complex cybersecurity landscape.