Oblivion RAT is a sophisticated Android Malware-as-a-Service that uses a two-stage infection model, employing fake Google Play update pages to trick users into enabling Accessibility Services, which it then abuses to auto-grant permissions and hide its activity. It evades analysis with a "fake ZIP encryption" technique that breaks standard APK tools and provides operators with full remote control, keylogging, and financial app targeting. Zimperium's on-device dynamic detection engine provides zero-day coverage, as traditional signature-based antivirus solutions show low detection rates against its actively diversified variants.
blog Mar 21, 2026 Extended Rapid Response: Zimperium’s Zero-Day Coverage of Oblivion RAT Nicolás Chiaraviglio Recent research published by iVerify highlights Oblivion RAT , a new and highly sophisticated Android remote access trojan (RAT) being sold as a Malware-as-a-Service (MaaS) platform. Operating on a subscription model, Oblivion RAT provides threat actors with a production-ready toolkit, including a web-based APK builder and a dropper generator that creates convincing, multi-stage social engineering lures. Oblivion RAT employs a two-stage infection model designed to bypass user suspicion through pixel-perfect replicas of Google Play update pages and Android’s internal Accessibility Service settings. Once a victim is lured into enabling Accessibility Services, the implant programmatically grants itself all necessary dangerous permissions—such as SMS access, notification listening, and device administration—while intercepting and hiding system dialogs to remain invisible. Beyond its deceptive UI, the malware uses clever anti-analysis techniques, such as a "fake ZIP encryption" trick (a technique we blogged about in the past). By manipulating ZIP bit flags in the APK, it causes standard analysis tools like jadx or apktool apktool to fail, falsely reporting that the files are encrypted. Once active, the RAT provides operators with full VNC remote control, keylogging, and a "Wealth Assessment" feature that automatically categorizes installed financial and cryptocurrency apps to prioritize high-value targets. Mobile Threat Detection (MTD) and Mobile Runtime Protection (zDefend) customers are fully protected against this threat. Our Zimperium zLabs researchers analyzed the campaign and confirmed that Zimperium’s on-device dynamic detection engine provides 100% zero-day coverage against Oblivion RAT. In addition to the samples documented in the initial industry report, Zimperium’s advanced threat telemetry identified 45 additional new samples of Oblivion RAT. These newly discovered variants currently show very low industry coverage among traditional signature-based antivirus engines, indicating that the operators are actively diversifying their builds to evade detection. While Oblivion RAT is marketed for individual compromise, its capabilities pose a severe risk to enterprise environments. A tool that can intercept two-factor authentication (2FA) codes via SMS, capture every keystroke, and provide real-time remote access can easily be leveraged to bypass corporate security controls and gain unauthorized access to sensitive business applications. As mobile threats move toward "MaaS" models with automated builders, organizations cannot rely on static signatures. Behavioral, on-device detection is the only way to stay ahead of rapid-response threats like Oblivion RAT that are designed to disappear the moment they are analyzed. The indicators of compromise discovered by zLabs can be found in this Github repository . Threat Research zLabs Latest News Mar 19, 2026 DarkSword: The Hit-and-Run Successor to the Coruna iOS Exploit Kit Mar 09, 2026 Extended IOCs for TaxiSpy Android Banking Malware