A newly discovered Android remote access trojan known as Oblivion RAT has emerged on cybercrime networks as a complete malware-as-a-service (MaaS) platform, turning fake Google Play Store update pages into a full-scale spyware operation.
First reported by Certo Software, the threat has drawn attention because of how polished and ready-to-deploy the operation is, covering everything from dropper delivery to real-time device control.
Oblivion RAT is sold on underground forums at $300 per month, with longer tiers going up to $2,200 for a lifetime license.
The package includes a web-based APK builder for the implant, a separate dropper builder that generates fake Google Play update pages, and a command-and-control (C2) panel for live device management.
Attackers distribute the dropper through messaging apps and dating platforms, tricking victims into believing they are installing a legitimate Google Play update.
iVerify analysts identified the malware and reverse-engineered its full infection chain after obtaining samples of both the dropper and the RAT implant, gaining access to the builder and C2 panel.
Researchers noted the platform is well-structured, with built-in language presets supporting English and Russian, confirming the operation targets victims across multiple regions.
The dropper defaults to the package pattern com.darkpurecore*, with com.oblivion.dropper.MainActivity as the launcher activity across all observed samples.
The infection follows a two-stage model. The dropper APK carries a compressed RAT implant (payload.apk.xz) and three self-contained HTML pages that simulate a real Google Play update flow.
.webp)
The first page displays a progress bar and a phony security scan showing messages such as “No malicious code” and “Verified developer.”
The second page presents a fake Play Store listing under the developer name “LLC Google,” with a 4.5-star rating and an UPDATE button that triggers the sideloading process.
.webp)
The third page walks the victim through enabling app installation from unknown sources, framing it as a routine security step.
Once the victim follows these steps, the second-stage implant quietly takes over the device and runs in the background with no visible interface.
The impact is severe — the attacker gains near-total control over the compromised device, with access to SMS messages, keystrokes, financial app data, and live screen sessions.
AccessibilityService Hijacking
The most dangerous part of Oblivion’s attack is how it abuses Android’s AccessibilityService to silently seize full device control.
After the second-stage implant is installed, the malware requests AccessibilityService access through a pixel-perfect replica of Android’s Accessibility settings screen.
.webp)
Every element on this screen — the title, section headers, and the Enable button — is operator-controlled through the APK Builder.
Once the victim taps Enable, the implant takes over the device’s interface entirely. It navigates Android’s Settings to silently auto-grant itself every dangerous permission, including SMS access, storage, notification listener, and device admin rights, without showing the victim a single prompt.
A backend toggle called hide_permission_process makes this entirely invisible by intercepting and auto-dismissing system dialogs before they appear on screen.
With full control, the operator can open real-time VNC sessions with complete touch input, log every keystroke tagged by app and timestamp, and intercept all SMS messages — including OTP codes and 2FA tokens — before they reach the victim.
.webp)
A built-in “Wealth Assessment” feature sorts the victim’s installed apps into categories like Banks, Crypto, and Government services, giving the attacker a quick view of the most valuable accounts to target.
.webp)
Android users should only download apps from the official Google Play Store and immediately turn down any request to grant accessibility permissions to unknown apps.
Any prompt asking to enable sideloading outside the Play Store should be treated as a red flag. Organizations should enforce device management policies that restrict installations from unknown sources and monitor for suspicious AccessibilityService activity.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
