Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Patches Windows 11 OOBE Flaw in Cumulative Update
July 5, 2026
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Home/Threats/Oblivion RAT Android Spyware Disguises as Fake Play Store Updates
Threats

Oblivion RAT Android Spyware Disguises as Fake Play Store Updates

Key Takeaways A new Android Remote Access Trojan (RAT) named Oblivion RAT has emerged as a sophisticated malware-as-a-service (MaaS) offering. The malware is distributed via fake Google Play Store...

Marcus Rodriguez
Marcus Rodriguez
March 23, 2026 4 Min Read
43 0

Key Takeaways

  • A new Android Remote Access Trojan (RAT) named Oblivion RAT has emerged as a sophisticated malware-as-a-service (MaaS) offering.
  • The malware is distributed via fake Google Play Store update pages, tricking users into sideloading the malicious application.
  • Oblivion RAT exploits Android’s AccessibilityService to gain extensive, silent control over compromised devices, including access to sensitive data and financial applications.
  • The threat is actively sold on cybercrime forums, indicating a broad potential for widespread attacks.

Sophisticated Android Spyware Emerges: Oblivion RAT Leverages Fake Play Store Updates

A new and highly potent Android remote access trojan, dubbed Oblivion RAT, has been identified operating within cybercrime syndicates. This malware functions as a comprehensive malware-as-a-service (MaaS) platform, transforming deceptive Google Play Store update prompts into a full-fledged spyware operation capable of extensive device compromise.

Table Of Content

  • Key Takeaways
  • Sophisticated Android Spyware Emerges: Oblivion RAT Leverages Fake Play Store Updates
  • MaaS Offering and Distribution
  • Technical Deep Dive into the Infection Chain
  • AccessibilityService Hijacking
  • What You Should Do

Security researchers at Certo Software first documented this threat, highlighting its advanced and deployment-ready nature. The operation encompasses every stage of an attack, from initial dropper delivery to real-time command and control over infected devices. The detailed analysis is available in their report: “Oblivion RAT: Android Spyware Turns Fake Play Store Updates Into a Full-Service Android Spyware Operation”.

MaaS Offering and Distribution

Oblivion RAT is available for purchase on illicit online forums, with subscriptions ranging from $300 per month to a lifetime license priced at $2,200. The comprehensive package provided to attackers includes a web-based APK builder for creating the malicious implant, a separate dropper builder designed to generate convincing fake Google Play update pages, and a robust command-and-control (C2) panel for managing compromised devices in real-time.

Attackers primarily disseminate the dropper through social engineering tactics on messaging applications and dating platforms. Victims are lured into believing they are installing a legitimate and critical Google Play update, initiating the infection chain.

Technical Deep Dive into the Infection Chain

iVerify analysts meticulously investigated and reverse-engineered the entire infection process after acquiring samples of both the dropper and the RAT implant, along with access to its builder and C2 panel. Their findings reveal a highly organized platform, complete with built-in language options for English and Russian, suggesting a broad, multi-regional targeting strategy.

The dropper consistently uses the package pattern com.darkpurecore*, with com.oblivion.dropper.MainActivity serving as the primary launcher activity across all analyzed samples.

The infection unfolds in a two-stage process. The initial dropper APK contains a compressed RAT implant (payload.apk.xz) and three self-contained HTML pages. These pages are meticulously crafted to mimic a genuine Google Play update experience. The first page presents a progress bar alongside a fabricated security scan, displaying reassuring messages such as “No malicious code” and “Verified developer.” Following this, the second page displays a fake Play Store listing under the developer name “LLC Google,” complete with a 4.5-star rating and an “UPDATE” button that initiates the sideloading of the malicious payload.

The third and final deceptive page guides the victim through the process of enabling app installations from unknown sources, portraying it as a standard security procedure. Once these steps are completed, the second-stage implant silently installs and operates in the background, without any visible user interface. This grants the attacker extensive control over the compromised device, including access to SMS messages, logged keystrokes, financial application data, and even live screen sessions.

AccessibilityService Hijacking

A critical component of Oblivion RAT’s efficacy lies in its malicious exploitation of Android’s AccessibilityService. After the second-stage implant is installed, the malware requests AccessibilityService access through a pixel-perfect replica of Android’s legitimate Accessibility settings screen. Every element on this screen, including the title, section headers, and the “Enable” button, can be controlled and customized by the operator via the APK Builder.

Once the victim taps “Enable,” the implant completely hijacks the device’s interface. It then surreptitiously navigates Android’s Settings to auto-grant itself a wide array of dangerous permissions, such as SMS access, storage access, notification listener privileges, and device administrator rights. Crucially, this entire process occurs without displaying any prompts to the victim. A backend toggle, hide_permission_process, ensures this stealth by intercepting and automatically dismissing system dialogs before they become visible on screen.

With these elevated permissions, the attacker gains near-total control, enabling real-time VNC sessions with full touch input capabilities. They can log every keystroke, tagged by the application and timestamp, and intercept all SMS messages, including critical one-time passwords (OTPs) and two-factor authentication (2FA) tokens, before the victim even sees them. A “Wealth Assessment” feature integrated into the C2 panel further aids attackers by categorizing the victim’s installed applications into groups like Banks, Crypto, and Government services, allowing them to quickly identify and target the most valuable accounts.

What You Should Do

  • Download from Official Sources Only: Always download applications exclusively from the official Google Play Store. Avoid installing apps from third-party websites, untrusted links, or direct APK files.
  • Be Wary of Update Prompts: Exercise extreme caution with any prompts asking you to update apps outside the Google Play Store. Legitimate updates are typically handled automatically by the Play Store itself.
  • Scrutinize Accessibility Permissions: Never grant AccessibilityService permissions to unknown or suspicious applications. This permission is extremely powerful and can be abused to gain full control over your device.
  • Disable Unknown Sources: Ensure that the “Install unknown apps” or “Unknown sources” setting is disabled in your Android device’s security settings. Only enable it temporarily and for trusted sources if absolutely necessary, and disable it immediately afterward.
  • Educate Yourself: Stay informed about common social engineering tactics used by malware distributors, such as fake update notifications or enticing messages on dating apps.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Windows 11 Emergency Update Patches OneDrive, Teams Sign-In Errors

Next Post

Libyan Oil Refinery Targeted by AsyncRAT Espionage Campaign

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us