New Android Banking Malware Campaigns Target 800 Apps via Screen Overlays

Android banking malware is evolving rapidly, with four newly discovered campaigns actively targeting over 800 financial and cryptocurrency applications globally. Cybersecurity researchers at Zimperium zLabs have identified these distinct malware families - dubbed RecruitRat, SaferRat, Astrinox, and Massiv - which utilize advanced social engineering to drain user accounts. For Android users and IT administrators, understanding these infection vectors is critical to preventing catastrophic data and financial loss.

The threat actors rely heavily on phishing and smishing (SMS phishing) to deploy their malicious payloads. SaferRat lures victims through fraudulent websites offering free premium video streaming access. Meanwhile, RecruitRat targets job seekers by disguising its malicious APK as an employment application on fake job portals.

Astrinox mimics a legitimate business tool called HireX, even utilizing a fake Apple App Store landing page to build trust before dropping the Android payload. The distribution method for Massiv remains undisclosed, highlighting the stealthy nature of these operations.

Once installed, the malware executes devastating Overlay attacks. When a user opens a targeted banking or crypto app, the malware instantly displays a pixel-perfect fake login screen over the legitimate application. RecruitRat alone contains a local repository of over 700 fake login pages.

To mask their background activity, the malware abuses Android's Accessibility Service permissions to create a "blindfold" effect. It displays a frozen screen or a fake system update while hackers silently harvest contacts, read SMS messages, and record the screen using the MediaProjection framework. Crucially, this allows the attackers to intercept one-time passwords (OTPs) in real-time, bypassing standard two-factor authentication (2FA). The malware also utilizes keylogging and maintains a persistent connection to the attackers' servers via WebSockets.

Given the severity of these Android banking malware campaigns, users must take immediate defensive steps to secure their personal data:

1. Avoid sideloading applications: Download apps exclusively from the official Google Play Store. This prevents the installation of unverified APKs used by RecruitRat and Astrinox.
2. Scrutinize SMS links: Never click on links within urgent text messages claiming account issues. This neutralizes the primary smishing vectors used to deploy the payloads.
3. Audit Accessibility permissions: Regularly check your device settings to see which apps have Accessibility Service access. Revoking this permission stops the malware from executing its "blindfold" technique and screen overlays.

The discovery of RecruitRat and its variants by Zimperium underscores a troubling industry trend: the relentless weaponization of native OS features. By abusing the Accessibility Service and MediaProjection framework, threat actors are bypassing traditional security perimeters without needing root access.

The fact that RecruitRat carries over 700 localized overlay templates indicates a highly organized, well-funded operation designed for maximum scale. Moving forward, Google will likely face mounting pressure to further restrict Accessibility APIs in future Android builds, forcing a difficult balance between user accessibility and systemic security.