A new Android Remote Access Trojan (RAT) advertised as fully undetectable has surfaced publicly on GitHub, raising serious concerns among cybersecurity researchers.
Claimed to bypass advanced permission and background process restrictions, particularly in Chinese ROMs such as MIUI and EMUI, this RAT represents one of the most sophisticated public Android threats yet observed.
With an emphasis on persistence, encrypted communication, and zero visibility to antivirus software, researchers warn that the malware could fuel a new wave of ransomware and credential-stealing campaigns.
Advanced Injection and Permission Evasion
The RAT incorporates a multi-layer dropper that embeds its payload into legitimate Android applications, allowing unsuspecting users to install compromised APKs.
Unlike conventional RATs, it is engineered to defeat autostart restrictions, background app controls, and aggressive battery optimization systems widely found in customized Android ROMs.
Once installed, it silently escalates its privileges, automatically granting itself full accessibility, notification, and administrative rights through controlled script execution. This effectively neutralizes the user permission model, allowing for stealthy execution immediately after infection.
Encryption plays a core role in its design. Command-and-control (C2) communication uses AES-128-CBC encryption with PKCS padding, ensuring that all transmitted data remains protected even under deep packet inspection.
According to the developer’s documentation, the configuration, including the C2 address, is fully obfuscated, preventing exposure during APK decompilation or reverse-engineering.
An additional anti-emulator module verifies hardware parameters before execution, blocking operation within sandbox environments used by analysts.
Full Device Compromise and Surveillance Capability
Once active, the RAT gains total device control, mirroring the functionality of commercial-grade spyware. It can record and delete call logs, place or intercept voice calls, and manipulate SMS messages, including reading OTPs and spoofing sender information.
Through its built-in keylogger, the malware captures every keystroke offline and online, targeting credentials from banking apps, crypto wallets, email clients, and two-factor authentication tools.
The malware also integrates multiple data exfiltration features, including live screen captures, access to front and rear cameras, audio and video recording, and clipboard hijacking, which replaces cryptocurrency wallet addresses with those of the attacker.
Its ransomware component adds further danger by encrypting files across storage partitions and locking the device interface until a ransom demand is fulfilled.
Meanwhile, the attacker can remotely lock, unlock, or even wipe the entire device, effectively transforming the RAT from spyware into a destructive payload.
The inclusion of spoofed notifications, cloned application login pages, and automated phishing prompts adds a social-engineering layer to the infection chain, enabling real-time credential theft.
Persistence, Stealth, and Public Exposure
The RAT’s persistence mechanisms are designed for longevity. It minimizes system resource use, running a background process that consumes negligible CPU and battery power.
In “freeze mode,” its network traffic drops to under 3MB per day, making detection by network monitors extremely difficult. Hidden icons and delayed task scheduling prevent user suspicion, while false system dialogs are used to crash security apps and Play Protect manually.
Perhaps most alarming is its accessibility: the attacker interface is entirely web-based, requiring no specialized infrastructure or port forwarding. An operator can execute full control commands from any standard browser across Android, Linux, or Windows devices.
By making such a powerful toolkit freely available online, its developers have effectively lowered the barrier to entry for deploying industrial-grade mobile espionage operations.
The public release of this FUD Android RAT underscores the growing abuse of open-source repositories for distributing weaponized tools.
Security analysts are now urging immediate removal of the project and heightened scrutiny over GitHub malware publishing to prevent further global Android exploitation.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
 advertised as fully undetectable has surfaced publicly on GitHub, raising serious.){kind=link}