Four Android malware families are quietly siphoning credentials from more than 800 banking, cryptocurrency and social media apps, with detection rates near zero.
Zimperium Identifies Four Trojan Families
The cybersecurity firm Zimperium says its zLabs team has tracked four parallel campaigns named RecruitRat, SaferRat, Astrinox and Massiv.
Each one runs on a separate command-and-control framework. Together they reach over 800 apps in finance, crypto and social media.
Hackread reported the families slip past signature-based scanners through structural APK tampering and runtime decryption. SaferRat hides behind fake streaming offers, while RecruitRat lures job seekers with bogus recruitment sites.
Once installed, the trojans demand Accessibility permissions, drop a blank icon to vanish from the app drawer, and intercept PINs through fake lock screens.
Also Read: Quantum Threat To Bitcoin Vastly Overblown, Checkonchain Founder Argues
Overlay Attacks and Crypto Wallet Risk
Krishna Vishnubhotla, vice president of product strategy at Zimperium, told TechRepublic that attackers now seize the device itself rather than just credentials.
The malware waits for a victim to open a banking or crypto app, then drops a fake login page over the real one. Captured passwords flow straight to the attacker.
Massiv targets 78 banking and crypto wallets, mapped by country. RecruitRat covers more than 700 apps using HTML overlays delivered from its server.
Mobile fraud has been climbing through 2025 and into 2026. The FBI's most recent crime report logged record losses in cryptocurrency-related scams, with phishing and credential theft on Android the dominant entry points.
Read Next: 66.5% Of Bitcoin Sits With Long-Term Holders, Yet The Cycle Looks Stuck