Crypto trojans target 800+ wallets and banking apps via fake logins

A Zimperium zLabs report warns of a new crypto trojan wave aimed at 800+ cryptocurrency wallets, banking apps, and social platforms on Android. The malware families are RecruitRat, SaferRat, Astrinox, and Massiv, each tied to its own command-and-control infrastructure. Once installed, the crypto trojan uses overlay attacks to place fake login screens on top of real crypto and banking apps, enabling real-time credential theft. It can also intercept one-time passcodes (OTPs), stream the victim’s device screen to attackers, hide its app icon, and block uninstall attempts. Infection commonly starts through phishing sites, fake job offers that redirect to malicious APK downloads, SMS/text-message scams, and social-engineering lures that pressure victims to act quickly. One campaign uses fake premium streaming sites; others rely on recruitment-style bait and domain-based content switching. To evade security tools, the crypto trojan families reportedly use advanced anti-analysis methods, structural tampering with Android APKs, and near-zero detection rates against traditional signature-based defenses. Their network traffic blends into normal activity using HTTPS and WebSocket, sometimes with extra encryption. The report also notes multi-stage installation strategies designed to work around Android permission changes. Traders’ takeaway: the headline is not a protocol or price catalyst, but a security risk that can increase exchange/wallet losses and trigger short-lived risk-off sentiment—especially for users installing Android apps outside official stores.