Detecting Oblivion Android RAT: Accessibility Abuse, OTP Interception, and Mobile Threat Behavior

BLOG MARCH 17, 2026 Threat Research DETECTING OBLIVION ANDROID RAT: ACCESSIBILITY ABUSE, OTP INTERCEPTION, AND MOBILE THREAT BEHAVIOR IN THIS ARTICLE Overview Analysis Scope & Methodology Actor Advertisement & Ecosystem Advertised Capabilities (Actor Claims) Execution Flow Observed Capabilities (Validated Behavior) 1. Accessibility Service Abuse 2. SMS and Notification Interception 3. Input Monitoring (Keylogging-like Behavior) 4. Persistence Mechanisms 5. Social Engineering & Defense Evasion 6. Remote Interaction Capabilities 7. Permission Automation & Internal Logic 8. Configuration Initialization 9. Command-and-Control (C2) Observed Characteristics Indicators of Compromise (IOCs) : File Hashes (SHA-256) IP Address How Gurucul Helps Detect and Mitigate Oblivion Android RAT SIEM-Driven Telemetry Correlation Behavioral Detection with UEBA AI-Driven Threat Detection Models MITRE ATT&CK Alignment Network and Command-and-Control Detection Risk-Based Alerting and Investigation Conclusion Overview Oblivion is an Android Remote Access Trojan (RAT) advertised on underground forums as a comprehensive mobile surveillance and fraud toolkit. The malware is promoted with capabilities ranging from remote device interaction to credential theft and persistent access. This analysis correlates actor-provided claims with behavior observed from a captured sample. While several core functionalities—such as Accessibility Service abuse, SMS interception, and persistent execution—were validated during controlled testing, other advanced capabilities remain inferred from actor descriptions and may depend on operator usage or configuration. Analysis Scope & Methodology This research is based on: Actor advertisements and feature listings from underground forums Static analysis and limited dynamic execution of a captured APK sample Behavioral observation of permission usage and runtime activity Capabilities discussed in this report are categorized as: Observed – directly validated during analysis Inferred – supported by artifacts but not fully executed Claimed – based solely on actor-provided descriptions Actor Advertisement & Ecosystem The threat actor began advertising Oblivion RAT on underground forums in February, offering subscription-based access: 1 Month – $300 3 Months – $700 6 Months – $1300 1 Year – $1900 Lifetime – $2200 The listing positions the malware as a fully featured Android RAT designed for financial fraud, credential harvesting, and persistent surveillance. Figure : Underground forum post advertising Oblivion RAT, including pricing tiers and feature highlights. Advertised Capabilities (Actor Claims) According to the forum listing, the malware is advertised to support: Hidden remote interaction (marketed as “HVNC-like”) Automated permission granting Real-time interception of SMS, OTPs, and notifications Keylogging and credential harvesting Persistent access with resistance to removal These capabilities reflect actor claims and were not all independently validated during analysis. We observed the same post was advertised on other forums as well The actor’s profile was created on the above forums in the February month, and a post advertising the sale of this RAT was made on February 20. Execution Flow The observed execution chain combines social engineering with system-level abuse: User is presented with a fake update prompt Application requests Accessibility Service permissions Accessibility is leveraged to automate UI interactions Malware initializes configuration Background services establish persistence Device begins communication with C2 infrastructure Figure : Fake Google Play update interface used to trigger user interaction and initiate permission abuse. Observed Capabilities (Validated Behavior) 1. Accessibility Service Abuse The malware heavily relies on Accessibility Services to: Interact with UI elements programmatically Monitor on-screen content Simulate user gestures This enables automation of user actions and facilitates further permission abuse. Figure : Accessibility Service permissions granted to the application, enabling UI interaction and monitoring capabilities. 2. SMS and Notification Interception The sample demonstrates access to: SMS messages One-time passwords (OTPs) Authentication-related communications This behavior aligns with use cases such as banking fraud and account takeover. Figure : Permissions enabling access to SMS data, supporting interception of authentication messages. 3. Input Monitoring (Keylogging-like Behavior) Through Accessibility capabilities such as canRequestFilterKeyEvents, the malware can: Monitor user input events Capture sensitive credentials under certain conditions This behavior is consistent with credential harvesting workflows. Figure : Permissions enabling Keystroke Interception, Screen Capture and System-wide Surveillance 4. Persistence Mechanisms The malware maintains execution using a combination of: RECEIVE_BOOT_COMPLETED – restart after reboot FOREGROUND_SERVICE – reduce likelihood of termination WAKE_LOCK – sustain execution These mechanisms enable long-term presence on the device. 5. Social Engineering & Defense Evasion The malware uses deceptive interfaces to build user trust and mask malicious activity. Figure : Fake security verification interface designed to reassure users while malicious activity occurs in the background. 6. Remote Interaction Capabilities The actor advertises “HVNC-like” functionality. However, analysis indicates this is implemented through: Accessibility-driven UI interaction Screen monitoring and potential screen capture Rather than true hidden virtual desktop environments, this approach enables interaction within the active user session. Figure : Remote view of the infected device displaying a fake system update screen, likely used to mask attacker activity. 7. Permission Automation & Internal Logic The malware appears to coordinate permission handling using internal signaling mechanisms, likely implemented via BroadcastReceiver-like components. These mechanisms: Track system dialog states Trigger automated UI interactions via Accessibility Figure : Evidence of internal event-driven logic used to coordinate permission interaction workflows.   This behavior suggests automation of user interaction rather than true privilege escalation. OblivionRAT uses a custom BroadcastReceiver to coordinate its permission abuse via internal events like DEFAULT_SMS_DIALOG_VISIBLE and DEFAULT_SMS_RESULT. These signals track the SMS role prompt and trigger Accessibility-based automation to interact with system dialogs silently. This event-driven approach enhances stealth and reliability by enabling seamless coordination between components without user involvement. 8. Configuration Initialization Figure : Configuration Initialization and Enabling Stealth mode Oblivion RAT attempts to load its configuration from an embedded resource (config.json), indicating the use of externalized and potentially obfuscated settings. If loading fails, it dynamically generates a fallback configuration containing C2 server details (host/port) and operational parameters such as stealth mode and notification behavior. This redundancy ensures the malware remains functional even when the primary configuration is unavailable. Such design reflects resilience and flexibility in maintaining command-and-control communication. 9. Command-and-Control (C2) The malware loads configuration from an embedded resource (config.json). If unavailable, fallback configuration is generated dynamically. Observed Characteristics Configuration stored in Base64-encoded format (not encrypted) Contains: C2 server: 89.125.48.159:8888 Token identifier (prefix: OBL_) Application mode and landing URL The “webview” mode suggests potential for: Phishing content delivery Dynamic payload loading Figure : Decoded configuration revealing C2 infrastructure and operational parameters. Network protocol behavior (e.g., encryption or transport security) was not fully validated. Indicators of Compromise (IOCs) : File Hashes (SHA-256) IOC Filename 69a81fe8b53c1f5fa37363e32a2ed867a0c808776bdae155fc118c2de94a321a Yandex.Archive.apk d60d067c1239ec7db222ec18f7b8e20d85dd29ca5e8d4ddd86c55047374c3c48 payload.apk fecf484b0fb268b1a6867057769a3e805abfc0b506cd022d37e0e50a9401714e payload.apk IP Address C2 Server 89[.]125[.]48[.]159:8888 How Gurucul Helps Detect and Mitigate Oblivion Android RAT Gurucul’s Unified Security and Risk Analytics platform combines SIEM, User and Entity Behavior Analytics (UEBA), and AI-driven detection models to identify multi-stage mobile threats such as Oblivion RAT. By correlating telemetry across devices, users, and network activity, Gurucul enables early detection of Accessibility abuse, credential interception workflows, and command-and-control communication. SIEM-Driven Telemetry Correlation Gurucul SIEM ingests and correlates telemetry from multiple sources, including: Mobile device management (MDM) / EMM logs Application activity and permission changes Network traffic and DNS logs Identity and access events For threats like Oblivion RAT, SIEM enables detection of: Installation of suspicious or sideloaded applications Applications requesting high-risk permissions (Accessibility, SMS, overlay) Correlation between permission changes and subsequent anomalous behavior Network connections to known or suspicious external infrastructure By centralizing these signals, SIEM provides end-to-end visibility across the attack lifecycle. Behavioral Detection with UEBA Oblivion RAT relies heavily on abnormal user-device interactions rather than traditional exploits. Gurucul UEBA baselines normal behavior and detects deviations such as: Unauthorized use of Accessibility Services by non-assistive applications Rapid or automated interaction with system dialogs (permission granting patterns) Unusual combinations of permissions (Accessibility + SMS + foreground execution) Continuous background or foreground service activity without user context Abnormal interaction patterns indicative of scripted or automated behavior These deviations generate behavioral risk signals, helping identify compromised devices even when malware is previously unknown. AI-Driven Threat Detection Models Gurucul leverages machine learning and AI models to detect complex attack patterns that may not be visible through rules alone. For Oblivion RAT–like behavior, AI models help identify: Sequential patterns such as: App installation → Accessibility enablement → SMS access → network communication Correlation between data access (OTP/SMS) and outbound traffic Anomalous interaction frequency inconsistent with human usage patterns Behavioral clustering of suspicious applications across multiple devices These models enhance detection of low-and-slow or stealthy activity that may bypass traditional controls. MITRE ATT&CK Alignment Gurucul detection logic aligns with MITRE ATT&CK Mobile techniques observed in Oblivion RAT: Initial Access – Social engineering via fake update interfaces Execution – Malicious app deployment Privilege Abuse – Accessibility Service exploitation (T1626) Credential Access – Input capture and SMS interception (T1417, T1409) Defense Evasion – Abuse of legitimate OS features Command and Control – Application-layer communication (T1437) This alignment enables security teams to map detections to attacker behavior and validate defensive coverage. Network and Command-and-Control Detection By correlating SIEM and UEBA data with network telemetry, Gurucul detects: Outbound communication to suspicious infrastructure (e.g., 89.125.48.159:8888) Repeated beaconing or anomalous traffic patterns Applications generating network traffic inconsistent with declared functionality Temporal correlation between sensitive data access and network activity This provides visibility into active compromise and potential data exfiltration. Risk-Based Alerting and Investigation Gurucul aggregates weak signals across: Application and device behavior Permission abuse patterns Accessibility usage Network communication Identity and session context These signals are combined into a dynamic risk score, enabling: Prioritization of high-risk devices and users Context-rich alerts instead of isolated events Faster investigation and response with reduced alert fatigue Conclusion Oblivion RAT highlights how modern mobile threats leverage legitimate platform features, social engineering, and behavioral evasion to bypass traditional security controls. By combining SIEM-based telemetry correlation, UEBA-driven behavioral analytics, and AI-powered detection models, Gurucul enables early identification and mitigation of such threats—reducing the risk of credential compromise, financial fraud, and persistent device-level access. Contributors:   Abhishek Samdole Pandurang Terkar Rudra Pratap