By rssfeeds-admin 
This service offers a subscription-based model that allows resellers to distribute customized builds to their clients. The malware has grown in sophistication, combining surveillance, device control, and monetization features, making it a significant threat to Android users.
The SURXRAT MaaS model reflects a shift towards professionalization in the Android threat landscape.
The malware is marketed via a Telegram channel run by an Indonesian threat actor, who provides resellers with access to different purchase tiers.
Key Features and Capabilities
SURXRAT is a versatile surveillance and device control platform. Once installed on an Android device, it grants attackers full control, enabling a wide range of malicious activities.
Some of its primary features include:
- Data Collection and Exfiltration: SURXRAT can collect sensitive data, including SMS messages, contacts, call logs, device information, location data, browser history, and more.
- This information is exfiltrated to the attacker’s Firebase-based command-and-control (C2) infrastructure, which ensures stealth and reliability by blending malicious traffic with legitimate cloud services.
- Remote Device Control: Beyond passive surveillance, SURXRAT allows active manipulation of the infected device. Attackers can remotely unlock the device, make phone calls, change wallpapers, trigger the flashlight, control device vibration, and even perform a complete data wipe.
- Ransomware-Style Locking: One of the most concerning features of SURXRAT is its ability to lock the device with a ransom-style screen locker. The attacker can customize the lock screen message and set a PIN, demanding a ransom to restore the device’s normal functionality.
- AI-Driven Experimentation: Recent versions of SURXRAT have experimented with AI-assisted capabilities.
- The malware downloads a large AI model from external repositories, such as Hugging Face, when specific gaming apps are active, suggesting the potential use of AI for evasion, device manipulation, or further monetization.
Technical Analysis
Upon installation, SURXRAT prompts the victim to grant high-risk permissions, including access to device storage, contacts, SMS, and location services.
Once these permissions are granted, the malware establishes communication with its C2 server and begins exfiltrating the collected data. The malware also registers itself to ensure persistent access, utilizing accessibility services to maintain control without continuous user interaction.
According to Cyble, SURXRAT represents a significant evolution in Android malware, combining MaaS-style distribution, cloud-based control, and extensive surveillance capabilities.
With its ability to exfiltrate data, control devices, and deploy ransomware-style attacks, SURXRAT poses a serious threat to Android users.
The malware’s commercialized distribution model reflects the increasing sophistication and accessibility of Android RATs, underscoring the need for users to remain vigilant and adopt strong mobile security practices.
| RAT Commands | Description |
|---|---|
| access | Clipboard |
| Lock | Screen locker |
| for | Data wipe |
| wal | Wallpaper change |
| Brow | Browser history |
Regular device updates and the use of multi-factor authentication (MFA) for sensitive accounts can also mitigate the risk of compromise.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post SURXRAT Malware Gives Hackers Complete Access To Android Devices appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.