SaferRat

SaferRAT is an Android banking trojan identified by Zimperium zLabs as one of four active malware families alongside RecruitRat, Astrinox, and Massiv. It is associated with campaigns targeting more than 800 applications across banking, cryptocurrency, and social media platforms. SaferRAT is distributed via phishing and social-engineering lures, including fake streaming-service websites, enticing free premium offers, and a dropper masquerading as a Google Play Store update. The malware relies on sideloaded malicious APKs and has been reported to abuse Android’s Session Installation API as part of its installation chain.

Once installed, SaferRAT requests Accessibility Service permission and then uses non-interactive overlays to hide the granting of additional high-risk permissions, including access to contacts, device state, and SMS messages. With Accessibility access, it can read screen contents, monitor user interactions, perform clicks, swipes, and typing, create overlays, freeze or obstruct the screen, and make removal difficult. SaferRAT has been observed manipulating system navigation to hinder uninstallation and using Accessibility Services to block uninstall attempts after receiving the enable_anti_delete command from its command-and-control server.

The malware enumerates installed applications to identify banking, cryptocurrency, and social-media targets, then launches app-specific attacks. It uses overlay techniques to present fake PIN unlock screens and cloned login interfaces over legitimate apps in order to capture device passcodes, patterns, credentials, and authentication codes in real time. Reporting also states that SaferRAT can steal contacts and SMS messages, intercept one-time passwords, keylog user input, record or stream screen content via Android MediaProjection, and load remote phishing pages through WebView. SaferRAT and RecruitRat were also reported to hide secondary payloads in res or assets directories, sometimes load external DEX files with DexClassLoader, and use ZIP-level APK tampering, encrypted strings, and reflection to hinder analysis.

SaferRAT was designated based on the recurring class name com.example.safeservice found across associated samples. High-confidence indicators and traits directly mentioned in the source material include the class name com.example.safeservice, fake streaming-service lure infrastructure, fake Google Play update-themed droppers, use of Accessibility abuse and overlays, anti-uninstall behavior tied to the enable_anti_delete command, and Android APK artifacts tracked in saferRat-apks.csv.