Extended Rapid Response: Zimperium’s Zero-Day Coverage of Oblivion RAT

Recent research published by iVerify highlights Oblivion RAT, a new and highly sophisticated Android remote access trojan (RAT) being sold as a Malware-as-a-Service (MaaS) platform. Operating on a subscription model, Oblivion RAT provides threat actors with a production-ready toolkit, including a web-based APK builder and a dropper generator that creates convincing, multi-stage social engineering lures.

Oblivion RAT employs a two-stage infection model designed to bypass user suspicion through pixel-perfect replicas of Google Play update pages and Android’s internal Accessibility Service settings. Once a victim is lured into enabling Accessibility Services, the implant programmatically grants itself all necessary dangerous permissions—such as SMS access, notification listening, and device administration—while intercepting and hiding system dialogs to remain invisible.

Beyond its deceptive UI, the malware uses clever anti-analysis techniques, such as a "fake ZIP encryption" trick (a technique we blogged about in the past). By manipulating ZIP bit flags in the APK, it causes standard analysis tools like jadx or apktool apktool to fail, falsely reporting that the files are encrypted. Once active, the RAT provides operators with full VNC remote control, keylogging, and a "Wealth Assessment" feature that automatically categorizes installed financial and cryptocurrency apps to prioritize high-value targets.

Mobile Threat Detection (MTD) and Mobile Runtime Protection (zDefend) customers are fully protected against this threat. Our Zimperium zLabs researchers analyzed the campaign and confirmed that Zimperium’s on-device dynamic detection engine provides 100% zero-day coverage against Oblivion RAT.

In addition to the samples documented in the initial industry report, Zimperium’s advanced threat telemetry identified 45 additional new samples of Oblivion RAT. These newly discovered variants currently show very low industry coverage among traditional signature-based antivirus engines, indicating that the operators are actively diversifying their builds to evade detection.

While Oblivion RAT is marketed for individual compromise, its capabilities pose a severe risk to enterprise environments. A tool that can intercept two-factor authentication (2FA) codes via SMS, capture every keystroke, and provide real-time remote access can easily be leveraged to bypass corporate security controls and gain unauthorized access to sensitive business applications.

As mobile threats move toward "MaaS" models with automated builders, organizations cannot rely on static signatures. Behavioral, on-device detection is the only way to stay ahead of rapid-response threats like Oblivion RAT that are designed to disappear the moment they are analyzed.

The indicators of compromise discovered by zLabs can be found in this Github repository.