RadzaRat
RadzaRat is an Android remote access trojan (RAT) / spyware family discovered by Certo Software and publicly reported in late 2025. It is described as an Android MaaS tool first made public on November 8, 2025, and is disguised as a legitimate file manager application, including lures presenting it as a utility for handling photos and documents. Reporting states it was sold on underground forums by a developer using the name Heron44, with low-cost infrastructure based on services such as Render.com and Telegram, lowering the barrier to deployment.
Documented capabilities include full remote control of infected Android devices, remote file-system access, browsing and downloading files from the victim device, support for file transfers up to 10 GB, keystroke logging, and extensive surveillance functionality. The malware uses Telegram for command-and-control. It achieves persistence through Android boot-related permissions including RECEIVE_BOOT_COMPLETED, is configured to restart after device reboot, requests that battery optimizations be ignored, and uses aggressive methods to resist being closed by Android.
The malware is associated with credential and financial-data theft risk, including capture of passwords and credit card numbers via keylogging. It targets Android devices and has been observed impersonating a file manager utility rather than a sector-specific business application. At the time of reporting, Certo Software stated the APK installer was openly accessible online and that VirusTotal showed a 0/66 detection rate, indicating no major antivirus detections at that time.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
1 technique
Stealth
Credential Access
1 technique
Credential Access
Collection
1 technique
Collection
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
RadzaRat is a new Android remote access trojan (RAT) disguised as a file manager app, notable for its zero detection rate at the time of discovery.
RadzaRat is an Android RAT distributed as MaaS, disguised as a file manager. It enables remote file system access, keystroke logging via accessibility services, and uses Telegram for C2. It achieves persistence through boot permissions and evades battery optimizations.
Tags:Android apk GitHub GooglePlayStore Hermes malware NFCrelay RadzaRat React Smishing
Android spyware and remote access trojan disguised as a file manager app. It provides full remote control, supports browsing and downloading files, performs keylogging, uses Telegram for logging/communication, persists across reboots, and employs methods to avoid being closed by Android.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.