Commercial Android RATs Abuse Accessibility Services for Full Device Takeover
Two newly reported Android Remote Access Trojans (RATs)—SURXRAT and Oblivion—highlight a continued shift toward commercialized, subscription-based mobile malware that enables non-expert criminals to gain full control of victim devices and exfiltrate data. Both threats are positioned as scalable offerings (i.e., Malware-as-a-Service) with structured sales models and distribution support, lowering the barrier to entry for surveillance, credential theft, and account takeover.
The reported infection chains rely heavily on social engineering to trick users into installing or activating malicious components, then escalating control by abusing Android Accessibility Services to bypass normal interaction and security boundaries. SURXRAT is described as modular and stealth-focused, distributed primarily via Telegram channels with tiered licensing/reseller options, and capable of broad data access (e.g., SMS, contacts, location, storage) once high-risk permissions are granted. Oblivion is marketed at roughly $300/month (with longer-term pricing tiers) and is delivered via fake Google Play update prompts; researchers reported capabilities including SMS theft for banking codes, keylogging, remote unlocking after reboot, and covert live screen viewing while a decoy “system updating” animation distracts the victim, with infrastructure reportedly able to manage 1,000+ concurrent victims (including via Tor).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Cyble reveals SURXRAT's cloud C2 and surveillance capabilities
The SURXRAT analysis described a social-engineering-based installation flow in which victims are tricked into installing a seemingly legitimate app that then abuses Accessibility Services and other risky permissions. Cyble said the malware uses Firebase Realtime Database for command-and-control and supports data theft, camera and audio surveillance, real-time command execution, and a ransomware-style screen locker.
Cyble links SURXRAT to ArsinkRAT and exposes MaaS operation
Cyble reported that the Android RAT SURXRAT is being sold through Telegram as a malware-as-a-service offering with tiered licensing and reseller plans. The researchers linked it to the older ArsinkRAT family, saying the developers likely repurposed and expanded earlier source code.
Researchers detail Oblivion's fake-update infection and device takeover features
Researchers said Oblivion commonly infects victims through fake Google Play update prompts, abuses Android Accessibility Services to silently gain permissions, and can steal SMS messages, log keystrokes, and remotely control devices while displaying a fake system update screen. They also reported backend infrastructure designed to support more than 1,000 concurrent victims and operation over Tor for anonymity.
Certo reports commercial Android RAT 'Oblivion' sold by subscription
Certo disclosed a new Android remote access trojan called Oblivion that is marketed on the public web with subscription pricing starting around $300 per month and a higher-priced lifetime option. The report said the malware lowers the barrier for stalkers and cybercriminals by making phone compromise easy to operate at scale.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Telegram-Marketed Mobile RATs Sold as MaaS Target Android (and Claimed iOS) via Smishing and Surveillance Features
Researchers reported two **Telegram-marketed malware-as-a-service (MaaS)** offerings focused on mobile device compromise and surveillance. *ZeroDayRAT* is advertised as a subscription spyware platform claiming full monitoring of **Android and iOS** devices, with infections driven by **smishing** and other social-engineering lures that push victims to malicious links disguised as legitimate apps/updates; delivery chains reportedly use multi-stage redirects, URL shorteners, and in some cases trusted hosting such as *GitHub Pages* to evade reputation-based filtering. Once installed, the operator-facing web panel is advertised to provide extensive monitoring, including device profiling, app-usage timelines, GPS tracking, and remote activation of camera/microphone, plus screen recording and keystroke logging—capabilities consistent with credential theft and broad user surveillance. Separately, Cyble detailed ongoing development of *SURXRAT* (marketed as **SURXRAT V5**) as an Android RAT sold through a structured reseller/partner licensing model that enables affiliates to generate customized builds while the operator retains centralized control. The malware is described as a full-featured surveillance and device-control toolkit that abuses **Android Accessibility** permissions for persistent control and uses **Firebase-backed C2**; code similarities indicate lineage from **ArsinkRAT**. Recent samples were observed conditionally downloading a **large LLM module from Hugging Face**, which researchers assess as experimentation that could enable AI-assisted functionality, deliberate device performance impact, or new monetization approaches alongside established behaviors such as data exfiltration, remote command execution, and ransomware-style device locking.
Mar 21, 2026
Android RAT Campaigns Use CraxsRAT, Klopatra, and SpyNote to Hijack Devices
Multiple Android malware operations have been documented using remote access trojans to seize control of victims’ phones, steal sensitive data, and support financial fraud. Reporting on **CraxsRAT** describes a malware family built to give operators broad device access, while separate research identified **Klopatra**, an Android RAT disguised as the IPTV and VPN app **“Modpro IP TV + VPN,”** infecting more than 3,000 devices in Europe and enabling hidden remote control through a black-screen VNC feature. Klopatra also supports banking overlay attacks, gesture simulation, clipboard theft, keystroke capture, and screen monitoring, allowing attackers to conduct credential theft and fraudulent transactions while the device appears inactive. A third investigation found attackers targeting high-value individuals in South Asia with Android malware built on **SpyNote**, delivered through WhatsApp under multiple app names and tied to shared command-and-control infrastructure. That malware was designed to hide itself after installation and collect location data, contacts, SMS messages, call records, device information, files, screenshots, and keystrokes, particularly when accessibility permissions were granted. Across the reported cases, the malware showed strong evasion and persistence features, including obfuscation, anti-debugging, emulator detection, and attempts to disable security tools, underscoring how modern Android RATs are being adapted for espionage, credential theft, and banking abuse.
Jun 5, 2026
Multiple Remote Access Trojan Campaigns Target Windows and Android via Phishing, App Stores, and Social Platforms
Threat researchers reported several unrelated **RAT-focused malware campaigns** using different delivery channels and evasion techniques. **DEAD#VAX** was described as a Windows phishing operation that delivers **AsyncRAT** via purchase-order lures, abusing **IPFS-hosted VHD** files disguised as PDFs; the mounted VHD drops a multi-stage chain using **WSF**, heavily obfuscated batch scripts, and PowerShell loaders to decrypt and execute x64 shellcode **in memory** by injecting into trusted Windows processes, minimizing on-disk artifacts. Separately, analysis of **Pulsar RAT** activity described persistence via the per-user Run key (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`), an obfuscated batch dropper in *AppData*, PowerShell-based staging, and **Donut-generated shellcode** injection into processes such as `explorer.exe`, with anti-analysis features and data theft (credentials, wallets, tokens) exfiltrated via **Discord webhooks**. On Android, two distinct campaigns were highlighted. **Anatsa** banking malware was found distributed through **Google Play** in a trojanized “document reader” app that exceeded **50,000 downloads** before detection; the initial app acts as a loader that retrieves the full banking trojan and supports credential theft and C2-driven actions, with reporting attributing discovery and tracking to **Zscaler ThreatLabz**. **Arsink RAT** was reported spreading primarily via **Telegram/Discord** and file-sharing sites (e.g., MediaFire) through fake “mod/pro” apps impersonating major brands; research attributed to **Zimperium** cited **~45,000** victim IPs across **143 countries**, **1,216** malicious APKs, and **317** Firebase Realtime Database C2 endpoints, with capabilities including SMS/OTP theft, call log and contact harvesting, location tracking, and microphone audio capture.
Mar 21, 2026