blog Apr 16, 2026 Android Bankers: 4 Campaigns In A Row Fernando Ortega & Vishnu Pratapagiri Executive Summary In recent months, Zimperium’s zLabs team has identified a surge in Android Banking Trojan activity, marking a sophisticated shift in the mobile threat landscape . Our researchers successfully tracked four distinct campaigns, RecruitRat, SaferRat, Astrinox, and Massiv , each leveraging robust Command-and-Control (C2) frameworks to facilitate credential theft, unauthorized financial transactions, and large-scale data exfiltration. Collectively, these campaigns target over 800 applications across the banking, cryptocurrency, and social media sectors. By employing advanced anti-analysis techniques and structural APK tampering, these families often maintain near-zero detection rates against traditional signature-based security mechanisms. Delivery Vectors: Exploiting Human and System Trust Mobile banking trojans have evolved into highly sophisticated threats, with developers constantly looking for new techniques to gain stealthy, unauthorized access to sensitive financial data. The primary operational hurdle for malware developers remains the dual challenge of bypassing modern operating system security controls, such as restricted settings and permission prompts, while simultaneously overcoming increasing user skepticism. To achieve initial access, threat actors rely on several diverse delivery mechanisms that blend psychological manipulation with technical evasion. By exploiting human trust, curiosity, or a sense of urgency, these campaigns masquerade as critical system updates, popular applications, or "unmissable" promotional offers. The ultimate objective is to establish a persistent foothold on the device through a gateway often facilitated by human error, ensuring the compromise is finalized before the victim can detect any anomaly. Below are the primary techniques we’ve observed with modern banking trojans: Phishing Infrastructure: Threat actors use fraudulent domains meticulously crafted to mimic legitimate e-stores or services. They deploy high-fidelity websites and sometimes leverage techniques like the Homograph attack: using look-alike characters to make the URL look identical to a real bank’s domain. Social Engineering and Psychological Triggers: These are manipulative tactics aimed at coercing users into downloading malicious payloads from external URLs. They exploit user trust or anxiety, luring victims into downloading the malicious apps by promising free premium access, career assistance, or urgent solutions to fabricated security threats. Smishing: Attackers send urgent text messages, sometimes spoofing the send ID, to create a false sense of urgency. These messages typically contain URLs to the Phishing websites or direct download links. Through our research, zLabs has uncovered four distinct and active Android banking trojan families. To maintain technical clarity, our researchers have clustered these campaigns based on unique indicators of compromise (IoCs) and behavioral patterns identified within the samples. RecruitRat: Named for its primary infection vector, which exclusively leverages recruitment-related social engineering and fraudulent job-seeking platforms. was named due to the fact that all identified infection vectors were linked to recruitment-related processes. SaferRat: Designated based on the shared presence of a common class, com.example.safeservice , observed consistently across all associated applications. Astrinox: This family has been tracked internally for several months and labeled according to metadata found within our initial collection. We note that Cleafy Labs recently published research on this same threat, identifying it as Mirax . Massiv: We have retained this nomenclature to align with existing industry research and ensure continuity with findings previously published by ThreatFabric blog post . The infection and distribution vectors for these banking trojans vary by campaign strategy. This section analyzes the mechanisms used to move from initial lure to payload installation, focusing on the sophisticated social engineering tactics identified. Note that for certain families, the distribution infrastructure was deliberately obfuscated or absent from the analyzed binaries. SaferRat distributed itself through fake websites that promised free access to premium streaming platforms and legitimate video streaming software ( Fig. 1 ). Fig.1 : Phishing websites RecruitRat disguises its infection chain as a legitimate recruitment process. Victims are lured under the pretense of employment opportunities and directed to fraudulent websites. These domains exhibit characteristics consistent with dedicated phishing infrastructure and serve as the primary distribution points, tricking users into downloading the malicious APK under the guise of an employment-related requirement or application ( Fig. 2 ). Fig.2 : Fake recruitment websites Astrinox conceals its infection by mimicking HireX . The campaign leverages the domain xhire[.]cc, where the content served varies depending on the client’s user-agent. When an Android device is detected, the site prompts the user to download an APK file ( Fig. 3 ). In the case of iOS devices, it imitates the Apple App Store ( Figure. 4 ). However, no indicators of compromise targeting iOS devices have been identified. Fig.3 : Phishing Website for Android devices Fig.4 : Phishing Website for iOS devices The distribution infrastructure for Massiv could not be definitively identified during this research cycle. The analyzed samples lacked the typical embedded artifacts or 'dropper' logic used to trace the infection chain, indicating that the delivery phase may be decoupled from the core malware logic. Installation & Persistence Establishing persistence on a target device is one of the most critical phases in a mobile banking trojan's lifecycle. Due to the continued improvements of Android’s security model, threat actors have been forced to shift their original deployment strategies to new, innovative methods. Modern bankers no longer rely on simple, single-stage infections. Instead, they utilize sophisticated multi-stage installation routines designed to silently elevate privileges, auto-grant dangerous permissions, and hide themselves into the system. Once the malware is active, their immediate priority shifts to persistence; employing tactics to vanish from the user's view (Abusing UI) or actively blocking any uninstall attempts, ensuring a prolonged window for financial theft and surveillance. The installation processes across these modern Android banking trojans share a distinct, unified strategy: abusing the native Session Installation API ( Figure. 5 ) to bypass the stringent sideloading and Accessibility restrictions introduced in recent Android versions. Instead of exposing their malicious code directly, the initial droppers act merely as delivery vehicles, concealing their true payloads deep within their internal structures. Fig.5: Session installer A primary example of this multi-stage strategy is observed in SaferRat , which utilizes a dropper meticulously disguised as a Google Play Store update (Figure 6). By mimicking the trusted interface of the official Android marketplace, the malware lowers the victim's guard during the critical payload staging phase. This deceptive UI serves a dual purpose: it facilitates the initial execution and provides a plausible context for the system-level installation prompts generated by the Session Installation API, effectively masking the delivery of the malicious binary as a routine system maintenance task. Fig.6 : Fake Google play layout Once the malicious payload has been successfully deployed, typically, the next step of the bankers is to request Accessibility Service permissions. To prevent the victim from intervening or understanding what is happening, the malware deploys a non-interactive overlay on top of the screen ( Figure. 7 ) to visually obstruct the interface. Behind this “blindfold”, the malware programmatically auto-grants the remaining dangerous permissions required by its Remote Access Trojan (RAT) components, including full access to contacts, phone state, and SMS messages among others. Fig.7: Enable Accessibility and grant other permissions In order to gain persistence on the device RecruitRat does not primarily use these Accessibility privileges to block its own removal. Instead, it prioritizes visual stealth, dynamically replacing its application icon with a blank, transparent image ( Figure. 8 ) to effectively vanish from the user's app drawer. Fig.8: RecruitRat Replacing the icon SaferRat operationalizes its persistence through the direct abuse of Accessibility Services. Upon receiving the enable_anti_delete instruction from the C2, the malware begins intercepting user interactions with the Android system settings. By programmatically detecting intent to navigate to the application's management page, the malware issues automated navigation commands to redirect the user, ensuring that its malicious presence remains unhindered by manual uninstallation attempts. Evasion & Anti-Analysis Techniques For modern mobile banking trojans, infiltrating a device is only half the battle–the true challenge lies in survival and stealth. Once deployed, these malicious applications must bypass the operating system's built-in defenses, evade detection by mobile security solutions, and actively thwart security researchers’ attempts to reverse-engineer their code. This has sparked an arms race where malware developers invest as much effort into obfuscation and evasion as they do into the actual financial theft mechanisms. Instead of relying on isolated tricks, today's bankers employ a defense-in-depth evasion strategy, combining code-level obfuscation, structural tampering, and environmental profiling to ensure their operations proceed uninterrupted. Throughout our investigation into these eme