New $300 Android RAT With Automated Permission Bypass and Hidden Remote Control

A newly discovered Android Remote Access Trojan (RAT) named Oblivion is raising serious concerns across the mobile security community.

Sold on a public hacking forum for as little as $300 a month, this malware is built to silently take over Android devices without the victim ever knowing.​

What makes Oblivion different from other underground RATs is how it combines multiple dangerous capabilities into one easy-to-deploy package.

It targets Android versions 8 through 16, covering nearly every Android device currently in active use. Attackers do not need advanced coding skills — the tool includes a point-and-click builder that handles everything from crafting a fake app to deploying it on a victim’s device.​

Certo analysts identified the threat after reviewing a detailed seller post and a video demonstration published openly on a clear web hacking forum.

Their review confirmed the malware was reportedly tested in live environments for over four months before its public release, with no behavioral detections recorded during that entire period.

This level of pre-release preparation is uncommon for underground tools and signals a more deliberate development approach.​

The malware follows a subscription model, with pricing ranging from $300 for one month to $2,200 for lifetime access. Buyers receive no access to the source code, keeping control firmly with the seller.

Once Oblivion lands on a device, the attacker can intercept SMS messages including two-factor authentication codes, read push notifications from banking apps, log every keystroke, manage files, remotely launch or uninstall apps, and automatically unlock the phone using a captured PIN.

This level of access gives an attacker near-complete ownership of the infected device.​

The most technically significant feature of Oblivion is its Hidden VNC (HVNC) capability — a concealed remote session that runs entirely out of the victim’s view.

Standard VNC lets someone remotely view and control a device, but HVNC hides this session completely, leaving no visible trace on the victim’s screen.​

While the victim’s screen displays a convincing “System updating…” animation, the attacker has full interactive control of the device in a hidden environment running behind it. 

The fake overlay screen on the left and the attacker’s active hijacked session on the right.

This overlay is fully customizable and can be made to resemble a HyperOS update, an antivirus scan, or any routine loading screen that would not raise suspicion.​

Getting the malware onto a device relies on a Dropper Builder that generates a fake Google Play update prompt. Here the tool lets attackers customize the fake app name, icon, and delivery screen.

Victims are presented with an “Update Required” notification and guided step-by-step into enabling installation from unknown sources — a social engineering technique that works because it looks completely routine.​

Once installed, Oblivion automatically bypasses Android’s Accessibility Service permissions without any action from the victim.

This works across major custom Android interfaces including Samsung One UI, Xiaomi MIUI/HyperOS, OPPO ColorOS, Honor MagicOS, and OnePlus OxygenOS.

Google has spent years tightening Accessibility Service restrictions across Android versions, which makes a tool that bypasses those protections on Android 16 a genuinely significant development.​

Oblivion also includes a Screen Reader mode that gets past the black-screen protections banking apps and crypto wallets use to block screen capture — directly undermining one of the most relied-upon safeguards in financial applications.​

To reduce the risk of infection, users should only install apps directly through the Google Play Store and avoid sideloading APK files from any outside source.

Any unexpected pop-up requesting an update installation from outside the Play Store should be treated with immediate suspicion, as legitimate Android updates are never delivered this way.

Checking Settings > Accessibility regularly and removing permissions from unfamiliar apps is a practical step everyone should take.

If a device unexpectedly freezes on a loading or system update screen after installing an outside app, powering it off and running a security scan right away is the safest response.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.