A sophisticated new Android threat, dubbed Oblivion RAT, is operating as a fully functional malware-as-a-service (MaaS) platform, exploiting fake Google Play Store updates to deploy a potent spyware operation. This alarming development, detailed by cybersecurity researchers, highlights a growing trend of advanced, ready-to-use malicious tools being offered on underground cybercrime forums.
Oblivion RAT is being marketed to prospective attackers at prices ranging from $300 per month to $2,200 for a lifetime license. The comprehensive package includes tools for creating the malicious implant (APK builder), a separate tool for generating deceptive Google Play update pages (dropper builder), and a command-and-control (C2) panel for real-time management of compromised devices. This all-in-one approach significantly lowers the barrier to entry for cybercriminals looking to conduct sophisticated mobile surveillance.
Oblivion RAT: A Full-Service Android Spyware Operation
The operation’s polished nature and comprehensive features have drawn significant attention from security analysts. The malware is distributed through methods like messaging apps and dating platforms, where victims are tricked into believing they are installing a legitimate Google Play update. Researchers from iVerify identified and reverse-engineered the malware’s infection chain, gaining access to its builder and C2 panel, which confirmed the platform’s advanced capabilities.
The Oblivion RAT platform supports multiple languages, including English and Russian, indicating a broad regional targeting strategy. The dropper component utilizes a default package pattern of `com.darkpurecore*` and a launcher activity named `com.oblivion.dropper.MainActivity`. This structured approach ensures a consistent and effective deployment mechanism for attackers.
The Infection Chain: Deception and Stealth
The infection process is a carefully orchestrated two-stage model. The initial dropper APK contains a compressed RAT implant, stored as `payload.apk.xz`, and three self-contained HTML pages designed to mimic a genuine Google Play update flow. These pages are crucial for lulling the victim into a false sense of security.
The first HTML page displays a fake progress bar alongside a simulated security scan, presenting reassuring messages such as “No malicious code” and “Verified developer.” This primes the user for the subsequent steps. Following this, a second page presents a counterfeit Google Play Store listing, complete with a 4.5-star rating and a developer name, “LLC Google.” An “UPDATE” button on this page, when clicked, initiates the sideloading of the malicious implant.
The final stage guides the victim through enabling app installations from unknown sources, framing it as a standard security procedure. Once these steps are completed, the second-stage implant silently installs and operates in the background, devoid of any visible user interface, granting attackers extensive control over the device.
Disabling Security Measures Through AccessibilityService Hijacking
The most insidious aspect of Oblivion RAT’s functionality lies in its adept abuse of Android’s AccessibilityService. Once the RAT implant is in place, it skillfully requests AccessibilityService access by presenting a pixel-perfect replica of the native Android Accessibility settings screen. Critically, every element on this simulated screen, including the title, section headers, and the “Enable” button, is controllable by the attacker via the APK Builder.
Upon the victim’s tap on the deceptive “Enable” button, the malware seizes complete control of the device’s interface. It then proceeds to stealthily navigate Android’s Settings to auto-grant itself all necessary dangerous permissions. This includes access to SMS messages, storage, notification listener functionality, and device administrator rights, all without displaying any prompts to the user. A backend toggle labeled `hide_permission_process` makes this entire process invisible by intercepting and automatically dismissing any system dialogs before they can appear.
With these permissions secured, the attacker gains the ability to initiate real-time VNC sessions, offering complete touch input control over the victim’s device. Furthermore, they can log every keystroke, meticulously tagging each entry with the application and timestamp. The ability to intercept all SMS messages, including crucial one-time passcodes (OTPs) and two-factor authentication (2FA) tokens, before they reach the victim’s inbox, represents a significant threat to financial and personal security.
Adding to its malicious capabilities, Oblivion RAT includes a “Wealth Assessment” feature. This tool categorizes the victim’s installed applications into sensitive groups such as Banks, Crypto, and Government services. This provides attackers with a rapid overview of the most valuable financial and personal accounts to target on the compromised device.
Android users should maintain vigilance by downloading applications exclusively from the official Google Play Store. Any requests to grant accessibility permissions to unfamiliar applications should be immediately declined. Similarly, prompts that suggest enabling sideloading outside the Play Store should be treated as a critical warning sign. Organizations are advised to implement stringent device management policies that restrict installations from unknown sources and to actively monitor for any suspicious AccessibilityService activity on managed devices.