'It just vanished': Millions at risk as Android trojans use devious trick to 'magically' disappear once installed

Date:
Thu, 07 May 2026 00:25:00 +0000

Description:
Android banking trojans vanish from app drawers and secretly capture login credentials while streaming live device screens to remote attackers.

FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter Four Android banking trojan campaigns target hundreds of finance and social apps Malware hides icons, blocks removal, and overlays fake banking login screens Live screen streaming lets attackers monitor activity and capture authentication steps Security researchers have tracked four Android banking trojan campaigns that rely on deception, stealth, and disappearing app icons to stay hidden out of sight after installation.

Researchers at Zimperium say the campaigns, named RecruitRat, SaferRat, Astrinox, and Massiv, collectively targeted more than 800 banking, cryptocurrency, and social media apps. The potential reach is vast because many commonly used apps have billions of downloads, although actual
infections likely number in the millions rather than billions. Article continues below You may like Dangerous Massiv Android malware poses as IPTV app to infect devices and steal banking info 'The AI model and prompt are predefined in the code and cannot be changed': Experts say PromptSpy is the first known Android malware to use Gemini to ensure infection I smell a RAT new Android malware can hack every top phone maker's security, and costs less than a second-hand iPhone Increasingly complex installation techniques The researchers note the attackers rely heavily on tricking users, rather than exploiting technical flaws alone. Victims are directed to fake websites disguised as job portals, streaming services, or software downloads that seem legitimate at first glance.

Some campaigns imitate recruitment platforms, pushing victims to download an app as part of a supposed hiring process, while others promise free access to premium streaming content. This leads users to sideload malicious software from unofficial sources.

Installation techniques have grown increasingly complex, with many attacks using multi-stage delivery methods that conceal the true malware payload inside another file.

One tactic involves mimicking official update screens, including layouts resembling the Google Play interface, to lower suspicion during installation. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Once active, the malware often requests Accessibility permissions, allowing
it to monitor actions, read screen content, and grant itself additional privileges without clear user knowledge.

A particularly deceptive feature allows certain variants to replace their app icon with a blank image, effectively making the app "vanish" from the devices app drawer, creating confusion when users attempt to locate or remove the software.

Other versions interfere directly with attempts to uninstall the malware by redirecting users away from system settings. What to read next 'A sophisticated threat that is quietly reshaping the economics of digital fraud': How hackers are employing virtual cloud phones to power major scams SparkCat malware returns to target Android and iOS users, hiding in innocent apps to try and steal your details This new phishing campaign uses a fake Google Account security page to steal passcodes and more

Screen overlays play a major role in credential theft across all four campaigns. Fake lock screens can capture PINs and patterns, while simulated banking login pages harvest credentials as users interact with legitimate apps.

Some variants even display full-screen update messages that prevent normal interaction while background actions take place.

Beyond stealing credentials, several families transmit live screen content to remote servers, creating a continuous visual feed that allows attackers to observe activity and intercept authentication steps in real time.

Encrypted communication channels connect infected devices to centralized command systems that coordinate attacks and distribute updated instructions.

These systems can manage thousands of compromised devices simultaneously, making widespread financial theft easier to organize.

Zimperium's researchers say evolving evasion methods, including hidden payloads and structural file tampering, make detection harder for traditional security tools. (Image credit: Zimperium) Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.



======================================================================
Link to news story: https://www.techradar.com/pro/security/it-just-vanished-millions-at-risk-as-an droid-trojans-use-devious-trick-to-magically-disappear-once-installed


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)