Oblivion RAT Masquerades as Play Store Update to Spy on Android Users

A newly discovered Android remote access trojan (RAT) called Oblivion RAT is raising concerns across the mobile threat landscape.

Marketed as a malware-as-a-service (MaaS) platform, it is sold on cybercrime forums with subscription plans starting at $300 per month.

Unlike typical mobile malware, Oblivion RAT comes with a web-based APK builder, a dropper generator, and a real-time command-and-control (C2) panel.

First highlighted by Certo Software, the operation stands out for its polished ecosystem, offering attackers a complete toolkit that simplifies deployment, infection, and control of compromised devices.

Researchers who analyzed the platform obtained working samples and accessed its infrastructure, revealing a highly organized and production-ready threat.

Multi-Stage Infection Chain

Oblivion RAT relies on a two-stage infection process designed to trick users into sideloading malicious apps. The attack begins with a dropper APK, usually distributed through messaging apps or social engineering campaigns, including dating platforms.

The dropper contains a compressed payload and three fake HTML pages that mimic the Google Play Store update process. These pages are fully self-contained and use inline elements to avoid detection.

Fake download completion with security scan( Source : Certo).
Fake download completion with security scan( Source : Certo).

The first screen simulates a download completion with a reassuring “security scan,” displaying messages like “No malicious code” and “Verified developer.” The second page imitates a Play Store listing with a fake developer name and a prominent “Update” button.

Once clicked, it triggers Android’s installation permissions. The final page walks users through enabling sideloading, presenting it as a standard and safe procedure.

This layered deception increases the likelihood that users will grant permissions without suspicion.

The second stage of the implant is when Oblivion RAT becomes fully operational. Built through the platform’s APK generator, it can run in stealth mode or display a decoy web page while executing malicious actions in the background.

The third page walks the victim through enabling sideloading with numbered steps, “Allow from this source” toggle, and a blue info box stating this is “a standard procedure to protect your device.”

Sideloading enablement walkthrough (Source : Certo).
Sideloading enablement walkthrough (Source : Certo).

The malware heavily abuses Android Accessibility Service, a feature intended to assist users with disabilities. Oblivion RAT generates a convincing replica of the Accessibility settings page, allowing attackers to trick victims into granting full control over the device interface.

Once enabled, the malware silently grants itself critical permissions, including access to SMS, storage, notifications, and device administration. It can also suppress system prompts entirely, ensuring victims remain unaware of the escalation.

Fake Accessibility settings page(Source : Certo).
Fake Accessibility settings page(Source : Certo).

Despite its advanced delivery and control mechanisms, Oblivion RAT uses relatively simple anti-analysis techniques.

One notable trick involves marking its internal files as “encrypted” to confuse common reverse engineering tools. In reality, the data is not encrypted, allowing researchers to extract it manually.

The malware’s configuration is stored in base64 format without strong encryption. This exposes critical details such as the C2 server address (89.125.48.159:8888), authentication tokens, and user interface text used in phishing screens.

Full Device Takeover

Once connected to its C2 server over self-signed TLS, Oblivion RAT provides attackers with extensive control. Features include:

  • Real-time screen viewing and touch control via VNC.
  • Keylogging of all user interactions.
  • Full SMS access, including interception of OTP and 2FA codes.
  • Ability to send messages from the victim’s number.
Real-time VNC session interface (Source : Certo).
Real-time VNC session interface (Source : Certo).

One standout feature is “Wealth Assessment,” which scans installed apps and categorizes them into banking, cryptocurrency, finance, and government services. This allows attackers to identify high-value targets and prioritize exploitation quickly.

Oblivion RAT reflects a broader trend of increasingly professional MaaS platforms that lower the barrier to entry for cybercriminals.

As sideloading and social engineering effective attack vectors, users and organizations must remain cautious about app installations outside official stores and be aware of permission abuse tactics targeting Android’s accessibility features.

With built-in automation, polished interfaces, and flexible pricing, such tools enable even low-skilled actors to launch sophisticated mobile attacks.

Indicators of Compromise

Indicator Type Notes
89.125.48.159 C2 IP Port 8888, self-signed TLS (CN=OblivionServer), AS 213702 (NL)
185.90.61.49 Panel IP Observed in C2 panel session
83.168.108.45 Secondary IP Port 443, AS 35179 (PL)
83.168.108.85 Secondary IP Port 443, AS 35179 (PL)
oblvn.sbs Panel Domain C2 panel and builder interface
fecf484b0fb268b1a6867057769a3e805abfc0b506cd022d37e0e50a9401714e RAT Payload Hash payload.apk (com.oblivion.client), VT: 14/67
d60d067c1239ec7db222ec18f7b8e20d85dd29ca5e8d4ddd86c55047374c3c48 RAT Payload Hash payload.apk (com.mail.ru), VT: 9/65
69a81fe8b53c1f5fa37363e32a2ed867a0c808776bdae155fc118c2de94a321a Dropper Hash Yandex.Archive.apk (com.yandexxxx.update), VT: 5/66

Related Articles

Back to top button