A new Android Remote Access Trojan (RAT) named Oblivion is posing a significant threat to mobile security. This sophisticated malware, available for as little as $300 per month, allows attackers to gain silent control over Android devices without user awareness.
According to Certo analysts, Oblivion targets Android versions 8 through 16, encompassing a vast majority of active devices. Its user-friendly, point-and-click builder eliminates the need for advanced coding skills, streamlining the creation and deployment of malicious applications.
Hidden Remote Control: Oblivion’s Stealthy Operation
The most alarming feature of Oblivion is its Hidden VNC (HVNC) capability. This mechanism allows attackers to establish a completely concealed remote control session, operating entirely out of the victim’s view. While the victim sees a seemingly innocuous “System updating…” animation on their screen, the attacker maintains full interactive control of the device in a hidden environment.
This illusion is achieved through a customizable overlay screen, which can be designed to mimic legitimate system updates, antivirus scans, or any other routine loading screen, effectively preventing suspicion. The effectiveness of this deception is enhanced by the malware’s deployment method.
Oblivion utilizes a Dropper Builder that generates fake app installers, often disguised as Google Play updates. Attackers can customize the fake app’s name, icon, and the entire delivery interface. Victims are prompted with an “Update Required” notification, which guides them through enabling installations from unknown sources, a social engineering tactic that preys on the user’s familiarity with update processes.
A critical advancement in Oblivion is its ability to automatically bypass Android’s Accessibility Service permissions without any user interaction. This bypass functions across major custom Android interfaces, including Samsung One UI, Xiaomi MIUI/HyperOS, OPPO ColorOS, Honor MagicOS, and OnePlus OxygenOS. This capability is particularly significant given Google’s ongoing efforts to strengthen Accessibility Service restrictions, especially with its impact on Android 16.
Furthermore, Oblivion includes a Screen Reader mode designed to circumvent the black-screen protections implemented by banking apps and crypto wallets to prevent screen capture. This directly undermines a key security measure designed to protect sensitive financial transactions.
Certo analysts identified Oblivion after reviewing detailed seller information and a video demonstration posted on a public hacking forum. The report indicates that the malware underwent over four months of testing in live environments prior to its public release, with no behavioral detections recorded during this period, suggesting a highly sophisticated and deliberate development process for this Android RAT.
The malware operates on a subscription basis, with pricing tiered from $300 for a one-month subscription to $2,200 for lifetime access. Buyers do not receive access to the source code, maintaining centralized control with the seller. Upon successful infection, an attacker can intercept SMS messages, including two-factor authentication codes, read push notifications from banking applications, log all keystrokes, manage files, remotely launch or uninstall applications, and even unlock the phone using captured PINs, granting near-complete control of the infected device.
To mitigate the risk of infection, users should exclusively install applications directly through the Google Play Store and avoid sideloading APK files from any external sources. Any unexpected pop-up requesting an update installation from outside the Play Store should be treated with extreme caution, as legitimate Android updates are not distributed in this manner.
Regularly checking device settings for Accessibility permissions and revoking access for any unfamiliar applications is a recommended proactive security measure. In the event of an unexpected device freeze that presents a loading or system update screen after installing an app from an untrusted source, the safest immediate response is to power off the device and conduct a thorough security scan.