Detecting Oblivion Android RAT: Accessibility Abuse, OTP Interception, and Mobile Threat Behavior

Overview

Oblivion is an Android Remote Access Trojan (RAT) advertised on underground forums as a comprehensive mobile surveillance and fraud toolkit. The malware is promoted with capabilities ranging from remote device interaction to credential theft and persistent access.

This analysis correlates actor-provided claims with behavior observed from a captured sample. While several core functionalities—such as Accessibility Service abuse, SMS interception, and persistent execution—were validated during controlled testing, other advanced capabilities remain inferred from actor descriptions and may depend on operator usage or configuration.

Analysis Scope & Methodology

This research is based on:

• Actor advertisements and feature listings from underground forums
• Static analysis and limited dynamic execution of a captured APK sample
• Behavioral observation of permission usage and runtime activity

Capabilities discussed in this report are categorized as:

• Observed – directly validated during analysis
• Inferred – supported by artifacts but not fully executed
• Claimed – based solely on actor-provided descriptions

Actor Advertisement & Ecosystem

The threat actor began advertising Oblivion RAT on underground forums in February, offering subscription-based access:

• 1 Month – $300
• 3 Months – $700
• 6 Months – $1300
• 1 Year – $1900
• Lifetime – $2200

The listing positions the malware as a fully featured Android RAT designed for financial fraud, credential harvesting, and persistent surveillance.

Figure : Underground forum post advertising Oblivion RAT, including pricing tiers and feature highlights.

Advertised Capabilities (Actor Claims)

According to the forum listing, the malware is advertised to support:

• Hidden remote interaction (marketed as “HVNC-like”)
• Automated permission granting
• Real-time interception of SMS, OTPs, and notifications
• Keylogging and credential harvesting
• Persistent access with resistance to removal

These capabilities reflect actor claims and were not all independently validated during analysis.

We observed the same post was advertised on other forums as well

The actor’s profile was created on the above forums in the February month, and a post advertising the sale of this RAT was made on February 20.

Execution Flow

The observed execution chain combines social engineering with system-level abuse:

1. User is presented with a fake update prompt
2. Application requests Accessibility Service permissions
3. Accessibility is leveraged to automate UI interactions
4. Malware initializes configuration
5. Background services establish persistence
6. Device begins communication with C2 infrastructure

Figure : Fake Google Play update interface used to trigger user interaction and initiate permission abuse.

Observed Capabilities (Validated Behavior)

1. Accessibility Service Abuse

The malware heavily relies on Accessibility Services to:

• Interact with UI elements programmatically
• Monitor on-screen content
• Simulate user gestures

This enables automation of user actions and facilitates further permission abuse.

Figure : Accessibility Service permissions granted to the application, enabling UI interaction and monitoring capabilities.

2. SMS and Notification Interception

The sample demonstrates access to:

• SMS messages
• One-time passwords (OTPs)
• Authentication-related communications

This behavior aligns with use cases such as banking fraud and account takeover.

Figure : Permissions enabling access to SMS data, supporting interception of authentication messages.

3. Input Monitoring (Keylogging-like Behavior)

Through Accessibility capabilities such as canRequestFilterKeyEvents, the malware can:

• Monitor user input events
• Capture sensitive credentials under certain conditions

This behavior is consistent with credential harvesting workflows.

Figure : Permissions enabling Keystroke Interception, Screen Capture and System-wide Surveillance

4. Persistence Mechanisms

The malware maintains execution using a combination of:

• RECEIVE_BOOT_COMPLETED – restart after reboot
• FOREGROUND_SERVICE – reduce likelihood of termination
• WAKE_LOCK – sustain execution

These mechanisms enable long-term presence on the device.

5. Social Engineering & Defense Evasion

The malware uses deceptive interfaces to build user trust and mask malicious activity.

Figure : Fake security verification interface designed to reassure users while malicious activity occurs in the background.

6. Remote Interaction Capabilities

The actor advertises “HVNC-like” functionality. However, analysis indicates this is implemented through:

• Accessibility-driven UI interaction
• Screen monitoring and potential screen capture

Rather than true hidden virtual desktop environments, this approach enables interaction within the active user session.

Figure : Remote view of the infected device displaying a fake system update screen, likely used to mask attacker activity.

7. Permission Automation & Internal Logic

The malware appears to coordinate permission handling using internal signaling mechanisms, likely implemented via BroadcastReceiver-like components.

These mechanisms:

• Track system dialog states
• Trigger automated UI interactions via Accessibility

Figure : Evidence of internal event-driven logic used to coordinate permission interaction workflows.

This behavior suggests automation of user interaction rather than true privilege escalation.

OblivionRAT uses a custom BroadcastReceiver to coordinate its permission abuse via internal events like DEFAULT_SMS_DIALOG_VISIBLE and DEFAULT_SMS_RESULT. These signals track the SMS role prompt and trigger Accessibility-based automation to interact with system dialogs silently. This event-driven approach enhances stealth and reliability by enabling seamless coordination between components without user involvement.

8. Configuration Initialization

Figure : Configuration Initialization and Enabling Stealth mode

Oblivion RAT attempts to load its configuration from an embedded resource (config.json), indicating the use of externalized and potentially obfuscated settings. If loading fails, it dynamically generates a fallback configuration containing C2 server details (host/port) and operational parameters such as stealth mode and notification behavior. This redundancy ensures the malware remains functional even when the primary configuration is unavailable. Such design reflects resilience and flexibility in maintaining command-and-control communication.

9. Command-and-Control (C2)

The malware loads configuration from an embedded resource (config.json). If unavailable, fallback configuration is generated dynamically.

Observed Characteristics

• Configuration stored in Base64-encoded format (not encrypted)
• Contains:
  • C2 server: 89.125.48.159:8888
  • Token identifier (prefix: OBL_)
  • Application mode and landing URL

The “webview” mode suggests potential for:

• Phishing content delivery
• Dynamic payload loading

Figure : Decoded configuration revealing C2 infrastructure and operational parameters.

Network protocol behavior (e.g., encryption or transport security) was not fully validated.

Indicators of Compromise (IOCs) :

File Hashes (SHA-256)

IP Address

How Gurucul Helps Detect and Mitigate Oblivion Android RAT

Gurucul’s Unified Security and Risk Analytics platform combines SIEM, User and Entity Behavior Analytics (UEBA), and AI-driven detection models to identify multi-stage mobile threats such as Oblivion RAT. By correlating telemetry across devices, users, and network activity, Gurucul enables early detection of Accessibility abuse, credential interception workflows, and command-and-control communication.

SIEM-Driven Telemetry Correlation

Gurucul SIEM ingests and correlates telemetry from multiple sources, including:

• Mobile device management (MDM) / EMM logs
• Application activity and permission changes
• Network traffic and DNS logs
• Identity and access events

For threats like Oblivion RAT, SIEM enables detection of:

• Installation of suspicious or sideloaded applications
• Applications requesting high-risk permissions (Accessibility, SMS, overlay)
• Correlation between permission changes and subsequent anomalous behavior
• Network connections to known or suspicious external infrastructure

By centralizing these signals, SIEM provides end-to-end visibility across the attack lifecycle.

Behavioral Detection with UEBA

Oblivion RAT relies heavily on abnormal user-device interactions rather than traditional exploits. Gurucul UEBA baselines normal behavior and detects deviations such as:

• Unauthorized use of Accessibility Services by non-assistive applications
• Rapid or automated interaction with system dialogs (permission granting patterns)
• Unusual combinations of permissions (Accessibility + SMS + foreground execution)
• Continuous background or foreground service activity without user context
• Abnormal interaction patterns indicative of scripted or automated behavior

These deviations generate behavioral risk signals, helping identify compromised devices even when malware is previously unknown.

AI-Driven Threat Detection Models

Gurucul leverages machine learning and AI models to detect complex attack patterns that may not be visible through rules alone. For Oblivion RAT–like behavior, AI models help identify:

• Sequential patterns such as:
  • App installation → Accessibility enablement → SMS access → network communication
• Correlation between data access (OTP/SMS) and outbound traffic
• Anomalous interaction frequency inconsistent with human usage patterns
• Behavioral clustering of suspicious applications across multiple devices

These models enhance detection of low-and-slow or stealthy activity that may bypass traditional controls.

MITRE ATT&CK Alignment

Gurucul detection logic aligns with MITRE ATT&CK Mobile techniques observed in Oblivion RAT:

• Initial Access – Social engineering via fake update interfaces
• Execution – Malicious app deployment
• Privilege Abuse – Accessibility Service exploitation (T1626)
• Credential Access – Input capture and SMS interception (T1417, T1409)
• Defense Evasion – Abuse of legitimate OS features
• Command and Control – Application-layer communication (T1437)

This alignment enables security teams to map detections to attacker behavior and validate defensive coverage.

Network and Command-and-Control Detection

By correlating SIEM and UEBA data with network telemetry, Gurucul detects:

• Outbound communication to suspicious infrastructure (e.g., 89.125.48.159:8888)
• Repeated beaconing or anomalous traffic patterns
• Applications generating network traffic inconsistent with declared functionality
• Temporal correlation between sensitive data access and network activity

This provides visibility into active compromise and potential data exfiltration.

Risk-Based Alerting and Investigation

Gurucul aggregates weak signals across:

• Application and device behavior
• Permission abuse patterns
• Accessibility usage
• Network communication
• Identity and session context

These signals are combined into a dynamic risk score, enabling:

• Prioritization of high-risk devices and users
• Context-rich alerts instead of isolated events
• Faster investigation and response with reduced alert fatigue

Conclusion

Oblivion RAT highlights how modern mobile threats leverage legitimate platform features, social engineering, and behavioral evasion to bypass traditional security controls.

By combining SIEM-based telemetry correlation, UEBA-driven behavioral analytics, and AI-powered detection models, Gurucul enables early identification and mitigation of such threats—reducing the risk of credential compromise, financial fraud, and persistent device-level access.