The Reveal Platform
SURXRAT is an Android-based Remote Access Trojan (RAT) operating under a Malware-as-a-Service (MaaS) model and distributed primarily through Telegram channels. The malware provides operators with full remote control over infected devices, enabling surveillance, data exfiltration, and device manipulation.
The Indonesian threat actor (TA) maintains a Telegram channel used to promote, update, and distribute the malware to resellers and partners. The channel was established on September 30, 2024, indicating that the development and operational activity related to the malware likely began in early 2025.
The following sections validate the threat actor’s advertised capabilities through reverse engineering of the application code.
SURXRAT is marketed via Telegram channels offering tiered MaaS subscriptions (e.g., reseller and partner access). The ecosystem includes automated purchase mechanisms via Telegram bots, enabling account provisioning and payment processing with minimal operator interaction. This reflects a mature commercialization model designed for scalability.
The above screenshot contains the information of the Surxrat ready plans, detailing the Reseller and Partner options. The Reseller plan costs 200k and offers benefits such as a daily account limit of 3, free server upgrades, the ability to create and sell SurxRAT accounts at market price, permanent access, and anti-PT PT protection with a one-time payment. The Partner plan costs 500k and includes a higher daily account limit of 10, the same server and account creation benefits, permanent access, anti-PT PT protection, and the ability to open reseller accounts.
The above screenshot contains the information that Surxrat can be purchased directly through the bot, with a fully automated payment and account creation process using QR payment. The price is listed as 55k, and customers who order via the bot are instructed to send a message to be added to the Surxrat Indonesia customer group. It also provides the official Surxrat Indonesia channel.
The screenshot shows how a user can buy Surxrat through a Telegram bot in a simple way. First, the bot displays the user’s account details, such as ID, balance, and transaction history. Then, it shows the price of Surxrat and the benefits, like full lifetime access, free updates, and priority support. After that, the user can choose how to pay, either by using their existing balance (“Buy with Balance”) or by making a new payment using QR’S (“Buy Now Using QR’S”). There is also an option to view the full list of features before buying. This process makes purchasing quick and easy directly inside Telegram.
The main features of the Surxrat tool, which are divided into two parts: data monitoring and device control. On the data side, it can access information like SMS, contacts, call logs, location, apps, notifications, WiFi history, and files from the target device. On the control side, it allows the user to remotely perform actions such as unlocking or locking the phone, making calls, sending notifications, opening websites, turning on the flashlight, changing wallpaper, playing audio, and even deleting files. It also includes extra features like taking photos, custom wallpapers, and anti-uninstall protection. Overall, it gives full remote access and control over the target device in one platform.
The threat actor claims future iOS support; however, no technical evidence currently validates this capability. Given iOS sandbox restrictions, such functionality would likely require jailbreak or alternative delivery mechanisms.
Reverse engineering of Sms3Activity reveals a persistent Firebase listener initialized via addChildEventListener(), enabling near real-time synchronization with the ‘sms’ node. The activity continuously processes incoming DataSnapshot objects, parsing message content and metadata into structured lists for operator-side rendering.
The application iterates over all entries within the Firebase “sms” node using a DataSnapshot iterator, systematically extracting each record and storing it into an in-memory list structure. This approach enables the malware to aggregate large volumes of intercepted SMS data in a single operation, rather than processing messages individually.
This RAT silently enumerates and exfiltrates accessible files via granted storage permissions from a victim’s device by uploading it to a remote hosting service via Firebase, giving the attacker instant access to sensitive documents, photos, and personal data without the victim’s knowledge or consent representing a severe privacy violation and potential identity theft risk.
Initializes a Firebase Realtime Database instance and references a node explicitly labeled “PhotoRAT”, indicating a dedicated channel for image-based data exfiltration. The use of HashMap and ArrayList structures suggests organized storage of multiple records, likely containing captured screenshots or user media along with associated metadata. By leveraging Firebase as a backend, the malware avoids reliance on traditional C2 infrastructure, instead abusing trusted cloud services to store and retrieve stolen visual data in a scalable and stealthy manner.
If storage permissions are not already granted, SURXRAT explicitly requests them before proceeding, effectively placing its core functionality behind user approval. Once obtained, these permissions are abused to access sensitive user files including photos, documents, and cached data which can then be harvested and exfiltrated to Firebase-backed infrastructure.
SURXRAT leverages Firebase-backed infrastructure as part of its data exfiltration mechanism. This indicates that stolen data is transmitted to a cloud-hosted backend, allowing operators to remotely collect and manage victim information in real time. By abusing a legitimate and widely trusted platform like Firebase, SURXRAT blends its traffic with normal application behavior, making network-based detection significantly more challenging.
This approach also provides attackers with scalability and flexibility, as Firebase enables centralized data storage, simplified access control, and rapid infrastructure changes without requiring modifications to the malware itself.
The presence of ‘ArsinkRAT’ strings suggests possible code reuse; however, without structural or functional overlap analysis, this attribution remains low-confidence. Building on this foundation, the threat actor appears to have introduced enhancements and additional capabilities. This reflects a broader trend of repurposing existing Android RAT frameworks to accelerate development and extend malicious functionality.
| Capability (Advertised) | Observed in Code | Assessment |
| SMS Access | Yes (Sms3Activity, Firebase sync) | ✅ Confirmed |
| File Exfiltration | Yes (storage enumeration + upload) | ✅ Confirmed |
| Image Capture | Yes (PhotoRAT node) | ✅ Confirmed |
| Full Device Control | Partial evidence | ⚠️ Partially Confirmed |
| iOS Support | No evidence | ❌ Unverified |
Reverse engineering confirms that SURXRAT implements core surveillance and exfiltration capabilities advertised by the threat actor, particularly in SMS interception, file access, and cloud-based data aggregation.
However, certain claims—such as full device control and iOS support—are either partially validated or remain unverified, indicating a gap between marketing claims and actual implementation.
Detection of SURXRAT requires a behavioral and correlation-based approach, as static indicators are limited.
SURXRAT represents a growing trend in mobile malware development, where threat actors adopt MaaS models and leverage legitimate cloud infrastructure to scale operations and evade detection.
Its use of Firebase for C2 and data exfiltration highlights a shift toward cloud-native malicious architectures, complicating traditional detection strategies. As mobile threats continue to evolve, defenders must prioritize behavioral analytics, permission monitoring, and cloud traffic inspection to effectively identify and mitigate such activity.
Siva Prasad Boddu
Pandurang Terkar
Rudra Pratap
