CraxsRAT Powers Fake Android Apps and Mobile Banking Fraud
Group-IB reported that CraxsRAT is being used as a central malware platform in fake Android app campaigns tied to banking fraud. The malware is distributed through trojanized applications that impersonate legitimate services, allowing attackers to infect devices and gain extensive remote access. Once installed, CraxsRAT can support surveillance, credential theft, and device manipulation, giving operators the ability to harvest sensitive information from victims’ phones.
The activity highlights how mobile malware operators are combining social engineering with remote-access tooling to target financial accounts at scale. By embedding CraxsRAT in fraudulent apps, threat actors can bypass user trust, monitor victim activity, and facilitate unauthorized banking transactions, making the malware a key enabler of broader fake-app scam operations against Android users.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Group-IB publishes analysis of Craxs RAT malware
Group-IB published a blog post describing Craxs RAT as a tool used in fake app scams and banking fraud. No additional dated incident details are provided in the reference content.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Android RAT Campaigns Use CraxsRAT, Klopatra, and SpyNote to Hijack Devices
Multiple Android malware operations have been documented using remote access trojans to seize control of victims’ phones, steal sensitive data, and support financial fraud. Reporting on **CraxsRAT** describes a malware family built to give operators broad device access, while separate research identified **Klopatra**, an Android RAT disguised as the IPTV and VPN app **“Modpro IP TV + VPN,”** infecting more than 3,000 devices in Europe and enabling hidden remote control through a black-screen VNC feature. Klopatra also supports banking overlay attacks, gesture simulation, clipboard theft, keystroke capture, and screen monitoring, allowing attackers to conduct credential theft and fraudulent transactions while the device appears inactive. A third investigation found attackers targeting high-value individuals in South Asia with Android malware built on **SpyNote**, delivered through WhatsApp under multiple app names and tied to shared command-and-control infrastructure. That malware was designed to hide itself after installation and collect location data, contacts, SMS messages, call records, device information, files, screenshots, and keystrokes, particularly when accessibility permissions were granted. Across the reported cases, the malware showed strong evasion and persistence features, including obfuscation, anti-debugging, emulator detection, and attempts to disable security tools, underscoring how modern Android RATs are being adapted for espionage, credential theft, and banking abuse.
Jun 5, 2026
Four Android Banking Trojans Target 800+ Apps With MFA-Bypassing Overlays
Zimperium zLabs identified four Android malware families—**RecruitRat, SaferRat, Astrinox, and Massiv**—in active campaigns targeting users of more than **800 banking, cryptocurrency, and social media apps**. The malware is being spread through phishing sites, smishing messages, fake job application and streaming lures, counterfeit app-store pages, and bogus updates that trick victims into installing malicious APKs. Researchers said the campaigns rely heavily on overlay attacks, with fake login screens placed over legitimate apps to steal credentials; **RecruitRat** alone reportedly includes more than **700** fraudulent login pages. Once installed, the trojans abuse Android features including **Accessibility Services**, the **Session Installation API**, **MediaProjection**, overlays, and **WebView** to gain persistence, intercept SMS and one-time passwords, log keystrokes, enumerate apps, steal contacts, freeze screens, stream displays, and remotely control infected devices. The malware also uses anti-analysis techniques such as APK tampering, encrypted strings, reflection, dynamic DEX loading, and environment-aware execution, while command-and-control traffic is sent over HTTPS or WebSockets, with RecruitRat additionally using **RC4** encryption. Researchers warned the activity creates enterprise risk because infected employee devices can enable account takeover, bypass MFA, and expose corporate resources.
Apr 20, 2026
Commercial Android RATs Abuse Accessibility Services for Full Device Takeover
Two newly reported Android **Remote Access Trojans (RATs)**—**SURXRAT** and **Oblivion**—highlight a continued shift toward *commercialized, subscription-based mobile malware* that enables non-expert criminals to gain full control of victim devices and exfiltrate data. Both threats are positioned as scalable offerings (i.e., **Malware-as-a-Service**) with structured sales models and distribution support, lowering the barrier to entry for surveillance, credential theft, and account takeover. The reported infection chains rely heavily on **social engineering** to trick users into installing or activating malicious components, then escalating control by abusing **Android Accessibility Services** to bypass normal interaction and security boundaries. SURXRAT is described as modular and stealth-focused, distributed primarily via **Telegram** channels with tiered licensing/reseller options, and capable of broad data access (e.g., SMS, contacts, location, storage) once high-risk permissions are granted. Oblivion is marketed at roughly **$300/month** (with longer-term pricing tiers) and is delivered via **fake Google Play update** prompts; researchers reported capabilities including SMS theft for banking codes, keylogging, remote unlocking after reboot, and covert live screen viewing while a decoy “system updating” animation distracts the victim, with infrastructure reportedly able to manage **1,000+** concurrent victims (including via Tor).
Mar 21, 2026