Oblivion RAT Masquerades As Play Store Updates In Expanding Android Spyware Campaign

Oblivion RAT is a new Android remote access trojan that has appeared on cybercrime forums This article explores makes iverify malware. . It is a very polished malware-as-a-service platform.

Certo Software found Iverify, which is spyware that hackers can buy for $300 a month. Oblivion stands out because it has a production-ready infrastructure. This includes a web-based builder for making the malicious implant, a dropper builder that makes fake Google Play update screens that look real, and a full command-and-control panel. Recently, security researchers got samples of malware and worked backwards to figure out how it infects devices and keeps control.

The Infection Chain and Tricks Oblivion uses a two-step infection process that relies heavily on social engineering to trick people. Attackers send the first dropper app through messaging apps or dating sites.

After being downloaded, the dropper shows victims a very convincing three-page sequence that looks like a real update to the Google Play Store. The first screen shows a fake download progress bar and a security scan that falsely promises that the app is safe and verified. The second screen shows a fake Play Store listing with a high developer rating and a big button for updates.

Fake download finish with a security scan (Source: iverify) Once the second stage is installed, the malware tries to get deep access to the system through Android's Accessibility Service. The operators use a special builder to make an app that is hard to see and asks for accessibility permissions right away when it starts. The malware shows a perfect copy of the real Android accessibility settings screen to fool the user.

The attacker can change any text on this fake page to make the victim feel better. Fake listing page for the Play Store (Source: iverify) Indicators of Device Takeover and Threats After it has been successfully installed and passed security checks, the malware connects to its command server using a configuration file that is not encrypted. Researchers can easily see the server address, operator tokens, and operating modes in this plain text file.

Once the attacker is connected, they can use a powerful control panel to watch the device in real time. Operators can see the screen of the hacked device, touch it to interact with it, and record every keystroke the victim makes. Iverify found that the malware sets itself as the default messaging app, which means it stops all incoming text messages before the victim can read them.

This feature lets attackers easily get one-time passwords and two-factor authentication codes. The wealth assessment tool that is built into the control panel is the most worrisome part. Fake page for accessibility settings (Source: iverify) This feature automatically scans the victim's device and puts the apps that are already there into groups like banking, cryptocurrency, and microfinance.

This instant financial profile shows the attacker which accounts are the best ones to go after. Security experts should keep an eye on their networks for the following infrastructure details that are part of this ongoing campaign. Type of Indicator: 89.125.48.159 C2 IP Port 8888, self-signed TLS (CN=OblivionServer), AS 213702 (NL) 185.90.61.49 Panel IP Seen in C2 panel session 83.168.108.45 Secondary IP: Possible alternative infrastructure