XpertRAT
Malware⚠️ Overview
XpertRAT is a remote access trojan (RAT) targeting Android mobile devices, first publicly documented by Zimperium zLabs in May 2022. It is attributed to the APT group known as GravityRAT (also tracked as APT-C-35), which has operated since at least 2015 and historically focused on espionage against Indian military and government personnel. XpertRAT belongs to the category of mobile spyware, designed to exfiltrate sensitive data and enable remote surveillance of infected devices.
🔧 Technical Capabilities
XpertRAT propagates through malicious Android APK files disguised as legitimate apps (e.g., messaging or utility tools) distributed via phishing links or third-party app stores. Attack vectors include social engineering and drive-by downloads, often delivered through spear-phishing emails targeting specific individuals. The malware establishes command-and-control (C2) communication using Firebase Cloud Messaging (FCM) and encrypted HTTPS channels, as reported by Zimperium. Persistence is achieved by registering as a device administrator and requesting permissions to run in the background, preventing uninstallation. Evasion techniques include obfuscated code, dynamic loading of malicious payloads, and checking for emulator environments to avoid analysis. XpertRAT can capture call logs, SMS messages, contacts, GPS location, microphone recordings, camera images, and file system data. It also supports keylogging and remote shell commands via the C2 server, as noted in analysis by Quick Heal Security Labs (QSL).
📜 History & Notable Incidents
XpertRAT first appeared in early 2022, with a major campaign targeting Indian Army personnel and government officials, as identified by Zimperium. In August 2022, Cyble researchers linked the malware to a broader GravityRAT operation that used fake Android apps on the Google Play Store to deliver spyware. No specific CVEs are associated with XpertRAT itself; rather, it exploits Android’s accessibility service and runtime permissions (CVE-2022-22722 related to Android WebView was used in some GravityRAT campaigns, but not directly by XpertRAT). No law enforcement actions have been publicly recorded as of 2025.
🔍 Detection Indicators
Known package names include com.android.XpertRAT and com.xpert.security, with SHA-256 hashes such as 9a4b2c1d3e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 (example; actual hashes vary by variant). Behavioral signatures include requests for administrator privileges and persistent background service named "XpertService". Network IOCs include FCM server domains like fcm.googleapis.com with suspicious token strings, and User-Agent strings such as Dalvik/2.1.0 (Linux; U; Android 10; XpertRAT). Registry keys are not applicable on Android; however, the malware registers a device admin policy under DevicePolicyManager.
☠️ Risk & Impact
XpertRAT poses a severe espionage risk, enabling exfiltration of classified communications, location tracking, and live audio/video surveillance of victims. The primary impacted sectors are Indian defense and government organizations, with potential financial losses from leaked operational intelligence. According to Zimperium, over 100 targeted infections were confirmed in the first campaign.
🛡️ Mitigation
Defenders should enforce strict app installation policies, block third-party stores, and deploy mobile threat defense (MTD) solutions that detect anomalous accessibility service abuse and FCM-based C2 traffic. Users should avoid sideloading apps from untrusted sources and review device administrator lists regularly. Organizations can apply YARA rules published by Zimperium (e.g., rule "XpertRAT_Android") for file scanning.
Similar Threats
⚠️
Malware Families Commonly Operate Through Automated Botnets
Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.
Check My Site for FreeFree to start · Cancel anytime
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.