“Oblivion” Android RAT Sold for $300 Bypasses Major Phone Security, Targets Devices Running Android 8–16

CyberDefender 8 mins0

A powerful new Android Remote Access Trojan (RAT) called Oblivion has recently appeared, and cybersecurity researchers at Certo have found it to be unusually advanced compared to typical malware. It’s not just another recycled threat — this one was reportedly built from scratch with features designed to evade detection and bypass modern Android security.

Unlike most malware sold underground, Oblivion is openly advertised on a public hacking forum, complete with a demonstration video showing how it works. It targets Android devices running versions 8 through 16, which covers nearly all Android phones still in use today.

What makes Oblivion notable isn’t any single trick but the combination of capabilities: it automates dangerous permission granting, offers hidden remote control, stays persistently installed, and includes an easy-to-use builder so even low-skill attackers can deploy it.

Sold as a Service

The malware is marketed as a commercial tool rather than leaked code. The seller claims Oblivion ran in live tests for over four months without crashing or triggering detection tools. Instead of providing source code, they charge for access on a subscription basis. The forum lists prices as:

Subscription options:

  • 1 month — $300
  • 3 months — $700
  • 6 months — $1,300
  • 1 year — $1,900
  • Lifetime access — $2,200

What a RAT Does

A Remote Access Trojan gives attackers hidden, remote control of an infected device. Once installed, it can read messages, monitor the screen, control inputs, and steal sensitive data — all without the user’s awareness.

How Oblivion Infects Devices

Builder and Dropper

Oblivion comes with an APK Builder that lets attackers generate a malicious app without coding. They can customize the app’s name, icon, and behavior so it looks trustworthy — for example, mimicking a system service. There’s even a stealth mode that hides the app’s user interface completely.

To deliver the malware, Oblivion includes a Dropper Builder that creates fake update prompts resembling the Google Play Store. When a victim sees this fake “Update Required” screen and enables installation from unknown sources, the malware installs itself.

⚠️ Security tip: Official Android updates never come as pop-ups outside the Play Store. Always update apps through official channels.

The Permission Bypass

Once installed, Oblivion’s biggest technical advantage kicks in: it can automatically gain high-risk permissions — especially Accessibility Service access — without any clicks from the user. This is significant because Accessibility Service, while meant to help users with disabilities, grants extremely powerful control over the device.

The seller claims this bypass works across multiple custom Android variants including:

  • MIUI / HyperOS (Xiaomi)
  • One UI (Samsung)
  • ColorOS (OPPO)
  • MagicOS (Honor)
  • OxygenOS (OnePlus)

These cover most Android devices worldwide, and the video demo shows it working on Android 15 — with claims it also functions on Android 16.

Hidden Remote Control

Oblivion uses VNC (Virtual Network Computing) to let attackers view and interact with an infected phone remotely. Even more dangerous, it implements Hidden VNC (HVNC) — a hidden session that the victim doesn’t see.

When the attacker operates the device, the phone may instead display a fake animation like “System updating…” so victims don’t realize anything is wrong. This overlay screen can be customized to look like an update, antivirus scan, or other believable system event.

There’s also a Screen Reader mode that circumvents protections in banking and crypto wallet apps that normally block screen capture.

What Oblivion Can Steal or Control

Once fully deployed, Oblivion’s data collection tools are extensive. It can:

  • Read, intercept, and send SMS messages, including two-factor codes.
  • Monitor and hide push notifications — even from financial apps.
  • Capture keystrokes with a keylogger (passwords, PINs, etc.).
  • Access files and installed apps.
  • Launch or uninstall apps remotely.
  • Auto-unlock the device using stored PIN/pattern — even after reboot.

Staying Hidden and Persistent

Oblivion aggressively protects itself once installed. It:

  • Blocks permission revocation.
  • Prevents uninstallation.
  • Stops disabling of Accessibility Service.

The malware uses self-recovery techniques, hides icons completely, and conceals processes to ensure long-term persistence. It also uses server infrastructure capable of handling thousands of infections, including anonymized connections via Tor.

Why It Matters

Google has tightened controls on Accessibility Service misuse across recent Android versions. A tool that bypasses those safeguards — especially on Android 16 — represents a serious challenge for platform security.

For everyday users, a single sideloaded app installed via a convincing fake update could quietly hand an attacker full, ongoing control of the phone and all the data on it.

How to Protect Yourself

Practical steps to reduce risk:

  • Don’t sideload apps. Only install apps from the official Google Play Store.
  • Be skeptical of unexpected update prompts. If it asks you to go outside the Play Store, it’s likely fake.
  • Check Accessibility permissions. Go to Settings → Accessibility and remove anything unfamiliar.
  • Run a malware scan with a reputable security app.

In Conclusion

Oblivion isn’t notable solely for its individual capabilities — it matters because it packages them into a relatively easy-to-use, commercially available malware service. This lowers the bar for attackers, potentially making serious Android breaches more common.

CyberDefender