New Android RAT "Oblivion" Bypasses Security Protections, Grants Full Device Control
Security researchers at Certo have identified Oblivion, a sophisticated Android Remote Access Trojan (RAT) targeting devices running Android 8 through 16. Sold on a subscription basis starting at $300, the malware is designed to evade detection and grant attackers persistent control over infected devices.
Oblivion is marketed as compatible with heavily customized Android systems from manufacturers like Samsung, Xiaomi, and Oppo. Its package includes a builder tool, allowing buyers to generate malicious apps with custom names and icons, alongside a dropper that mimics legitimate update prompts. Infection typically occurs when users install apps from unofficial sources, though the malware’s polished interface suggests careful refinement to enhance credibility.
A key feature of Oblivion is its abuse of Android’s Accessibility Service a feature intended to assist users with disabilities to bypass manual permission approvals. Once active, the malware can silently intercept SMS messages, two-factor authentication (2FA) codes, and push notifications, while also logging keystrokes in real time. Attackers gain remote control capabilities, including the ability to launch or remove apps, unlock devices using stolen credentials, and interact with the device through concealed sessions, all while displaying fake overlays to deceive the user.
The malware employs anti-removal mechanisms to block attempts to revoke permissions or uninstall it, and its icon suppression further conceals its presence. Despite Google’s efforts to restrict Accessibility Service abuse, Oblivion reportedly bypasses protections even on the latest Android versions, highlighting persistent gaps in platform-level defenses.
Unlike traditional malware relying on technical exploits, Oblivion’s effectiveness stems from social engineering and automation. Its subscription-based model lowers the barrier for attackers, enabling even those with minimal expertise to gain control over devices, exfiltrate sensitive data, and manipulate apps remotely. The emergence of such tools underscores the growing threat posed by commercially available malware and the challenges in detecting evolving attack methods.
OPPO India cybersecurity rating report: https://www.rankiteo.com/company/oppo-india
Xiaomi Technology cybersecurity rating report: https://www.rankiteo.com/company/xiaomi-technology
Android cybersecurity rating report: https://www.rankiteo.com/company/android_by_google
"id": "OPPXIAAND1772310272",
"linkid": "oppo-india, xiaomi-technology, android_by_google",
"type": "Cyber Attack",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Consumer technology (Android users)',
'location': 'Global (targets devices from '
'manufacturers like Samsung, Xiaomi, Oppo)',
'type': 'Mobile devices'}],
'attack_vector': ['Malicious app installation from unofficial sources',
'Social engineering (fake update prompts)'],
'data_breach': {'data_exfiltration': 'Yes (remote control enables data '
'exfiltration)',
'personally_identifiable_information': 'Yes (credentials, 2FA '
'codes, SMS content)',
'sensitivity_of_data': 'High (personally identifiable '
'information, authentication '
'credentials)',
'type_of_data_compromised': ['SMS messages',
'2FA codes',
'Push notifications',
'Keystrokes',
'Device credentials']},
'description': 'Security researchers at Certo have identified *Oblivion*, a '
'sophisticated Android Remote Access Trojan (RAT) targeting '
'devices running Android 8 through 16. Sold on a subscription '
'basis starting at $300, the malware is designed to evade '
'detection and grant attackers persistent control over '
'infected devices. Oblivion abuses Android’s Accessibility '
'Service to bypass manual permission approvals, intercept SMS '
'messages, 2FA codes, and push notifications, log keystrokes, '
'and enable remote control of the device while displaying fake '
'overlays to deceive users.',
'impact': {'data_compromised': ['SMS messages',
'Two-factor authentication (2FA) codes',
'Push notifications',
'Keystrokes',
'Device credentials'],
'identity_theft_risk': 'High (due to interception of 2FA codes and '
'credentials)',
'operational_impact': 'Persistent remote control of infected '
'devices, ability to launch/remove apps, '
'unlock devices, and manipulate apps '
'remotely',
'systems_affected': 'Android devices (versions 8 through 16)'},
'initial_access_broker': {'backdoors_established': 'Persistent remote access '
'via Accessibility Service '
'abuse',
'entry_point': 'Malicious apps distributed via '
'unofficial sources'},
'investigation_status': 'Ongoing (researchers have identified the malware; '
'further investigation likely in progress)',
'lessons_learned': 'The emergence of subscription-based malware like Oblivion '
'lowers the barrier for attackers with minimal expertise, '
'highlighting the need for improved platform-level '
'defenses against Accessibility Service abuse and enhanced '
'user awareness about installing apps from unofficial '
'sources.',
'motivation': ['Financial gain (subscription-based malware sales)',
'Data exfiltration',
'Remote device control'],
'post_incident_analysis': {'corrective_actions': ['Strengthen Android’s '
'Accessibility Service '
'restrictions',
'Improve detection of '
'malicious apps abusing '
'legitimate features',
'Enhance user education on '
'risks of unofficial app '
'sources',
'Develop automated tools to '
'detect and block '
'Accessibility Service '
'abuse'],
'root_causes': ['Abuse of Android’s Accessibility '
'Service (a legitimate feature '
'intended for accessibility)',
'Social engineering (fake update '
'prompts and polished malicious '
'apps)',
'Lack of sufficient platform-level '
'protections against Accessibility '
'Service misuse',
'User installation of apps from '
'unofficial sources']},
'recommendations': ['Avoid installing apps from unofficial sources',
'Review and restrict Accessibility Service permissions',
'Monitor for unusual device behavior (e.g., fake '
'overlays, unexpected app activity)',
'Implement additional security layers for 2FA and '
'sensitive transactions',
'Android platform providers should strengthen protections '
'against Accessibility Service abuse'],
'references': [{'source': 'Certo Security Research'}],
'response': {'third_party_assistance': 'Certo (security researchers)'},
'title': "New Android RAT 'Oblivion' Bypasses Security Protections, Grants "
'Full Device Control',
'type': 'Malware (Remote Access Trojan - RAT)',
'vulnerability_exploited': 'Abuse of Android’s Accessibility Service'}