MobiRAT
Malware⚠️ Overview
MobiRAT is a remote access trojan (RAT) targeting Android devices, first documented in April 2017 by Zscaler ThreatLabZ. It is attributed to the advanced persistent threat group APT-C-23 (also tracked as AridViper or Desert Falcons), which operates primarily from the Middle East. The malware is delivered via social engineering campaigns masquerading as legitimate messaging or dating apps, and its primary purpose is espionage and data theft.
🔧 Technical Capabilities
MobiRAT abuses Android accessibility services to gain extensive device control, enabling keylogging, screen capture, and call recording. It exfiltrates SMS messages, contact lists, call logs, and GPS location data, sending encrypted payloads to a command-and-control (C2) server over HTTP or HTTPS. The malware uses dynamic DNS domains and hardcoded IP addresses for C2 communication, and employs AES-128 encryption for data exfiltration. To evade detection, it checks for rooted devices and debugging environments, and can disable Google Play Protect by requesting administrative privileges. Persistence is achieved through an auto-start broadcast receiver and by hiding its icon from the launcher.
📜 History & Notable Incidents
First identified in April 2017 by Zscaler (Zscaler ThreatLabZ report), MobiRAT was used in targeted campaigns against Israeli military personnel and Palestinian entities, as documented by Check Point Research in 2018. The malware exploited no specific CVEs but relied on social engineering—victims were tricked into installing malicious apps from third-party stores or via WhatsApp messages. In 2020, a variant with enhanced evasion (MobiRAT v2) was observed by Trend Micro during campaigns against Middle Eastern governments. No law enforcement actions or arrests have been publicly linked to its operators.
🔍 Detection Indicators
Known file hashes are not publicly catalogued in major IOC databases, but behavioral signatures include abnormal use of android.permission.BIND_ACCESSIBILITY_SERVICE and RECEIVE_BOOT_COMPLETED. Network indicators include C2 domains ending in .tk or .ml (e.g., mohammad[.]tk), and user-agent strings mimicking Android WebView (e.g., "Mozilla/5.0 (Linux; Android 7.0)"). Registry keys and mutex names are not applicable on Android; instead, package names like "com.security.vpn" are common. Monitor for apps requesting accessibility service without clear justification.
☠️ Risk & Impact
MobiRAT poses a high risk to individual privacy and organizational security, as it can exfiltrate sensitive communications, location data, and credentials. Victims have been primarily in the Israeli and Palestinian territories, with secondary targets in Saudi Arabia and Jordan (per Trend Micro 2020). The malware has been linked to espionage operations by APT-C-23, potentially affecting military, political, and academic sectors. Financial losses are indirect but can be significant due to data breach remediation and intelligence leakage.
🛡️ Mitigation
Mitigation against MobiRAT includes disabling installation from unknown sources on Android devices, enforcing Google Play Protect, and using mobile threat defense (MTD) solutions like Zimperium or Lookout that detect accessibility service abuse. Organizations should implement application whitelisting and network filtering for known C2 domains (e.g., via Palo Alto Networks or Cisco Talos feeds). User awareness training against social engineering is critical due to the malware's reliance on deceptive app installation.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.