Astrinox

Astrinox is an Android banking trojan family identified by Zimperium zLabs as part of a cluster of campaigns alongside RecruitRat, SaferRat, and Massiv. It has been tracked internally by Zimperium for several months and overlaps with research from Cleafy Labs, which identified the same threat as Mirax. The campaigns collectively target more than 800 applications across banking, cryptocurrency, and social platforms, with the objective of stealing sensitive data and enabling fraud.

Astrinox is distributed through phishing and social-engineering lures that trick users into sideloading malicious APKs. Reported lures include fake business-tool applications and a fake Apple App Store page that served Android-targeting content; Zimperium also reported Astrinox using the domain xhire[.]cc and serving different phishing content depending on the client user-agent. Like the related campaigns, it relies on attacker-controlled websites, smishing, and cloned or fake apps to gain installation.

Once installed, Astrinox abuses Android Accessibility Service and overlay capabilities. It presents fake login screens over legitimate banking and cryptocurrency apps, monitors user activity, and triggers cloned overlays when targeted apps are opened. It can steal credentials, authentication codes, device PINs, patterns, or passwords through fake lock-screen and app-login overlays. Astrinox and Massiv were specifically observed using static or persistent full-screen overlays disguised as Android system prompts or updates to block user interaction while authorizing actions, triggering navigation clicks behind the overlay, or facilitating malicious transaction approval.

Zimperium reported that these malware families request Accessibility permissions, use non-interactive overlays to hide dangerous permission grants, and can obtain access to contacts, device state, and SMS messages. Across the reported campaigns, capabilities include screen-content monitoring, interaction abuse via clicks/swipes/typing, interception of SMS-delivered OTPs, keylogging of user taps, and screen recording or live screen streaming via MediaProjection. Astrinox was also reported to use WebSocket-based bidirectional command-and-control communications.

From an evasion and payload-delivery perspective, Astrinox encrypts its core payload, reconstructs it from Base64 segments, decrypts it in memory with AES/GCM, and writes the resulting APK to cache for execution. The repository context also indicates APK-related artifacts and IOC tracking for Astrinox, with an April 15, 2026 update adding indicators of compromise.