New RecruitRat, SaferRat, Astrinox, Massiv Android Malware Found Targeting 800 Apps

Android remains the most popular mobile platform, making it a prime target for financially motivated cybercrime. Zimperium’s zLabs recently uncovered four new malware families—RecruitRat, SaferRat, Astrinox and Massiv—that collectively compromise more than 800 banking and cryptocurrency applications. The campaigns rely on classic social‑engineering vectors such as phishing webpages and smishing texts, but they add a sophisticated overlay attack that mimics legitimate login screens. By hijacking the user’s view at the moment a financial app launches, the malware can harvest credentials before the victim realizes anything is amiss.

The technical playbook behind these threats is notably advanced. All four families abuse Android’s Accessibility Service to draw a static “blindfold” image over the screen, effectively freezing the UI while the malicious code runs in the background. This enables real‑time interception of one‑time passwords delivered by SMS, as well as full keylogging of every tap. RecruitRat even bundles a library of over 700 counterfeit login pages, activating them via a persistent WebSocket channel that waits for the optimal strike moment.

For enterprises and end users, the emergence of these overlay‑based attacks underscores the need for layered defenses. Mobile‑device management solutions should restrict accessibility permissions to trusted apps and monitor for anomalous overlay windows. Users must remain skeptical of unsolicited links, especially those promising free services or job opportunities, and should only install software from official app stores. As attackers continue to refine stealth techniques, continuous threat‑intelligence sharing and rapid patch cycles will be essential to protect the billions of dollars flowing through mobile financial ecosystems.