The Android ecosystem has a worrying new threat. Researchers at Certo have identified a new remote access trojan that is being distributed under the name RadzaRat.
The malware is presented as a simple file management application. However, it contains extensive functions for surveillance, data theft, and remote control. It is striking that no known security solution currently recognizes the application as malicious. This increases the risk for users.
RadzaRat appears at a time when malware-as-a-service is becoming increasingly accessible. The developer, active on criminal forums under the pseudonym Heron44, explicitly targets users with little technical knowledge. According to these forums, setting up the Trojan is hardly complicated. Attackers only need a free hosting environment, a Telegram bot, and a device on which the app is installed with the necessary permissions.
The application can be downloaded for free from a public GitHub repository. This illustrates how easy it has become to distribute malicious software via normally legitimate development platforms. The presence of a debug certificate indicates that the version in circulation comes directly from the development environment or that the creator has made little effort to conceal the project.
Full access to the file system
Under the hood, RadzaRat contains an extensive set of features. The Trojan has full access to the device’s file system and allows attackers to search folders, retrieve specific files, and download large data files. An analysis of the app’s structure shows that the file manager interface not only serves as a disguise, but also forms the starting point for these operations.
In addition, the malware records keystrokes. The technique makes use of Android’s accessibility services, a feature intended to support users but increasingly used for unauthorized monitoring. This method allows virtually all input to be recorded, from passwords to business communications.
The command-and-control layer runs on Telegram and Render.com. The app sends stolen data via bots controlled by the attacker, with Render servers serving as an intermediate station for uploads. This model offers both practical advantages and a certain degree of camouflage, as Telegram traffic is ubiquitous and often does not appear suspicious.
RadzaRat puts up multiple barriers to keep itself active. The app starts automatically after a restart. It requests permissions that prevent Android from stopping the process to save battery power. The trojan also uses foreground services, making the system less likely to terminate the process.