RecruitRat

RecruitRat is an Android banking trojan/RAT family identified by Zimperium zLabs as one of four related campaigns alongside SaferRat, Astrinox, and Massiv. It is used to steal credentials, enable unauthorized financial transactions, and exfiltrate data at scale, and is part of activity affecting more than 800 banking, cryptocurrency, and social platform applications. RecruitRat is primarily distributed through recruitment-themed social engineering, including fake job application files and fraudulent job-seeking websites, with victims tricked into sideloading malicious APKs. The broader campaigns also use phishing, smishing, homograph/lookalike domains, and attacker-controlled fake app or store pages.

Once installed, RecruitRat abuses Android Accessibility Services and overlay capabilities to monitor screen content and user interactions, perform clicks/swipes/typing, hide permission grants, and request additional high-risk permissions including access to contacts, device state, and SMS. It scans infected devices for installed banking, cryptocurrency, and social apps, then launches app-specific phishing overlays. RecruitRat uses fake login screens and fake lock-screen/PIN overlays to capture credentials, authentication codes, and device unlock secrets in real time. It has been reported to contain more than 700 fake login pages and to use an injectZip command to receive compressed HTML phishing overlays for more than 700 targeted applications. Reported capabilities across the observed campaigns include credential theft, OTP/SMS interception, contact theft, keylogging/tap logging, screen freezing, screen recording/streaming via MediaProjection, and large-scale data exfiltration.

RecruitRat uses a multi-stage installation process and persistence mechanisms. It can hide from the app drawer by replacing its icon with a blank transparent image. Zimperium reported that RecruitRat and SaferRat hide secondary payloads in res or assets directories and may load external DEX files with DexClassLoader. RecruitRat also employs anti-analysis and evasion techniques including ZIP-level APK tampering intended to disrupt tools such as APKTool and JADX, encrypted strings and API calls resolved dynamically through reflection, and RC4 encryption. For reconnaissance, it identifies installed apps via launcher-intent queries and a BotAddInfo command rather than relying on QUERY_ALL_PACKAGES, and encrypts the installed app list with RC4 before exfiltrating it to command-and-control infrastructure. C2 communications were reported over HTTPS, with RecruitRat additionally using RC4 encryption.

High-confidence indicators from the provided content include its Android APK delivery, recruitment/job-seeker lure theme, use of overlay phishing against banking and cryptocurrency apps, abuse of Accessibility Services and MediaProjection, transparent icon persistence to hide from the app drawer, RC4-encrypted app-list exfiltration, and support for more than 700 phishing/login overlays. A referenced repository also included files named RecruitRAT.md and recruitRat-apks.csv, updated with the note "IOCs added" on 2026-04-15.