A new wave of cybercrime is targeting Android devices with unprecedented ease, thanks to “malware-as-a-service” (MaaS) platforms like PhantomOS and Nebula.
These underground services, now thriving on Telegram and dark web forums, allow anyone to launch professional-grade mobile attacks with no coding skills required.
With monthly subscriptions starting at just $300, features that once required expert-level hacking are now just a purchase away.
Plug-and-Play Android Trojans for Cybercriminals
Traditionally, orchestrating an Android malware campaign demanded deep technical expertise. Attackers had to build their malware, sign APKs, set up command-and-control servers, and constantly tweak tactics to evade antivirus detection.
The MaaS model changes this dramatically: buyers pay for a subscription and receive a ready-to-deploy APK, often tailored to specific targets and institutions.
PhantomOS markets itself as “the world’s most powerful Android APK malware-as-a-service,” boasting a feature set that includes remote, silent app installs, interception of SMS and one-time passwords (OTP) used for two-factor authentication (2FA), phishing overlays custom-built for brands like Coinbase or HSBC, and mechanisms to hide the malware from both the user and security apps.
Operators even handle backend infrastructure, providing each customer with a private server and a dedicated Telegram bot for remote control, with no technical acumen required.
Meanwhile, Nebula targets a broader range of criminals with stealthy spyware that automatically extracts SMS messages, call logs, contacts, and GPS location, forwarding everything to the attacker via Telegram.
Subscriptions include automated compatibility updates and discounts for multi-month deals, mirroring legitimate software-as-a-service offerings.
Evading Antivirus and Spreading at Scale
To keep infections undetected, these kits often leverage “crypting” or “crypter-as-a-service” tools. Crypters obfuscate malware code, helping it bypass Google Play Protect and popular antivirus apps.
MaaS operators frequently update crypto-packers to ensure each build evades the latest security scans, and cybercriminals expect “fully undetectable” (FUD) malware as part of their subscription.
Distribution is also streamlined: Social engineering packages supply fake login overlays for dozens of financial institutions.
At the same time, technical exploit kits scan the internet for Android devices with unsecured ADB ports, automatically pushing payloads to hundreds of devices in minutes.
For criminals seeking instant results, “install markets” enable them to purchase access to pre-infected devices by geography, thereby bypassing the work of initial infection.
Defenses for Organizations
With advanced Android malware kits now affordable and accessible, defending against them requires new approaches.
Threat detection tools that analyze device logs and behavior, such as iVerify, can help organizations quickly identify signs of compromise, even without deep device-level control.
As Android MaaS continues to lower the barrier for mobile malware, proactive monitoring and education become essential lines of defense.
