Oblivion RAT Masquerades as Play Store Update to Spy on Android Users
A newly discovered Android remote access trojan (RAT) called Oblivion RAT is raising concerns across the mobile threat landscape.
Marketed as a malware-as-a-service (MaaS) platform, it is sold on cybercrime forums with subscription plans starting at $300 per month.
Unlike typical mobile malware, Oblivion RAT comes with a web-based APK builder, a dropper generator, and a real-time command-and-control (C2) panel.
First highlighted by Certo Software, the operation stands out for its polished ecosystem, offering attackers a complete toolkit that simplifies deployment, infection, and control of compromised devices.
Researchers who analyzed the platform obtained working samples and accessed its infrastructure, revealing a highly organized and production-ready threat.
Multi-Stage Infection Chain
Oblivion RAT relies on a two-stage infection process designed to trick users into sideloading malicious apps. The attack begins with a dropper APK, usually distributed through messaging apps or social engineering campaigns, including dating platforms.
The dropper contains a compressed payload and three fake HTML pages that mimic the Google Play Store update process. These pages are fully self-contained and use inline elements to avoid detection.

The first screen simulates a download completion with a reassuring “security scan,” displaying messages like “No malicious code” and “Verified developer.” The second page imitates a Play Store listing with a fake developer name and a prominent “Update” button.
Once clicked, it triggers Android’s installation permissions. The final page walks users through enabling sideloading, presenting it as a standard and safe procedure.
This layered deception increases the likelihood that users will grant permissions without suspicion.
The second stage of the implant is when Oblivion RAT becomes fully operational. Built through the platform’s APK generator, it can run in stealth mode or display a decoy web page while executing malicious actions in the background.
The third page walks the victim through enabling sideloading with numbered steps, “Allow from this source” toggle, and a blue info box stating this is “a standard procedure to protect your device.”

The malware heavily abuses Android Accessibility Service, a feature intended to assist users with disabilities. Oblivion RAT generates a convincing replica of the Accessibility settings page, allowing attackers to trick victims into granting full control over the device interface.
Once enabled, the malware silently grants itself critical permissions, including access to SMS, storage, notifications, and device administration. It can also suppress system prompts entirely, ensuring victims remain unaware of the escalation.

Despite its advanced delivery and control mechanisms, Oblivion RAT uses relatively simple anti-analysis techniques.
One notable trick involves marking its internal files as “encrypted” to confuse common reverse engineering tools. In reality, the data is not encrypted, allowing researchers to extract it manually.
The malware’s configuration is stored in base64 format without strong encryption. This exposes critical details such as the C2 server address (89.125.48.159:8888), authentication tokens, and user interface text used in phishing screens.
Full Device Takeover
Once connected to its C2 server over self-signed TLS, Oblivion RAT provides attackers with extensive control. Features include:
- Real-time screen viewing and touch control via VNC.
- Keylogging of all user interactions.
- Full SMS access, including interception of OTP and 2FA codes.
- Ability to send messages from the victim’s number.

One standout feature is “Wealth Assessment,” which scans installed apps and categorizes them into banking, cryptocurrency, finance, and government services. This allows attackers to identify high-value targets and prioritize exploitation quickly.
Oblivion RAT reflects a broader trend of increasingly professional MaaS platforms that lower the barrier to entry for cybercriminals.
As sideloading and social engineering effective attack vectors, users and organizations must remain cautious about app installations outside official stores and be aware of permission abuse tactics targeting Android’s accessibility features.
With built-in automation, polished interfaces, and flexible pricing, such tools enable even low-skilled actors to launch sophisticated mobile attacks.
Indicators of Compromise
| Indicator | Type | Notes |
|---|---|---|
| 89.125.48.159 | C2 IP | Port 8888, self-signed TLS (CN=OblivionServer), AS 213702 (NL) |
| 185.90.61.49 | Panel IP | Observed in C2 panel session |
| 83.168.108.45 | Secondary IP | Port 443, AS 35179 (PL) |
| 83.168.108.85 | Secondary IP | Port 443, AS 35179 (PL) |
| oblvn.sbs | Panel Domain | C2 panel and builder interface |
| fecf484b0fb268b1a6867057769a3e805abfc0b506cd022d37e0e50a9401714e | RAT Payload Hash | payload.apk (com.oblivion.client), VT: 14/67 |
| d60d067c1239ec7db222ec18f7b8e20d85dd29ca5e8d4ddd86c55047374c3c48 | RAT Payload Hash | payload.apk (com.mail.ru), VT: 9/65 |
| 69a81fe8b53c1f5fa37363e32a2ed867a0c808776bdae155fc118c2de94a321a | Dropper Hash | Yandex.Archive.apk (com.yandexxxx.update), VT: 5/66 |