Cybersecurity Alert: New HyperRat Android Malware Emerges

Cybersecurity researchers at iVerify have uncovered a new Android remote access trojan (RAT) named HyperRat, which is being marketed on cybercrime forums as part of the malware-as-a-service (MaaS) model. This tool enables attackers to remotely access and control infected devices, collect sensitive information, and disseminate mass phishing messages, all without the need for any coding skills.

The operation of HyperRat is subscription-based. When a buyer subscribes, they receive a tailored malicious APK along with access to a web-based control panel managed by the provider. This panel allows users to monitor infected devices, execute commands, and review logs, while the developer oversees the backend infrastructure. Researchers indicate that this shift represents a notable evolution in the underground Android malware landscape, where automation is becoming increasingly essential.

Web-Based Control and Device Management

According to iVerify’s detailed analysis, the control interface features a dashboard that displays a list of compromised devices, including their identification numbers, IP addresses, and recent activities. From this centralized hub, operators can initiate a VNC session, send SMS messages using the victim’s SIM card, retrieve call logs, alter permissions, and download archived messages. A specific feature labeled for mass messaging suggests that HyperRat is not limited to surveillance, but can also facilitate spam and phishing operations.

Another critical aspect of the malware is its ability to manage permissions. HyperRat informs operators about the active Android privileges, such as internet access and call control, while also requesting accessibility permissions and bypassing battery optimization. These techniques are commonly employed to ensure the malware remains persistent on a device, even after reboots or user actions.

Application Scanning and Phishing Capabilities

HyperRat can scan installed applications, providing operators with a comprehensive list of package names and titles. This functionality allows them to impersonate legitimate apps using phishing overlays. For instance, if the malware detects a banking or payment application, it can generate a counterfeit login screen resembling that service, collect user credentials, and subsequently return control to the authentic app to evade detection.

The control panel further includes a “Send to contacts” feature, enabling attackers to dispatch phishing messages directly from the victim’s phone. Operators can select SIM card slots, set timing for message delivery, and choose targets among the victim’s contacts. Since these messages originate from genuine devices, they often bypass traditional spam filters, enhancing the likelihood of reaching new victims.

Additionally, HyperRat utilizes Telegram bots for remote management and notifications. The operator can set up chat IDs and API tokens, allowing alerts and logs to be sent directly through Telegram. This method provides a discreet means of controlling the infected devices and helps circumvent detection mechanisms that rely on conventional command-and-control traffic patterns.

Custom APK Builder and Market Context

HyperRat features a built-in APK builder that allows attackers to create counterfeit Android applications with misleading names and icons. The builder offers a range of options, including concealing the app icon, intercepting notifications, and launching a VNC module for remote screen access. It also supports WebView mode, enabling the app to masquerade as a basic browser while covertly connecting to the attacker’s server.

This malware is being advertised in Russian-language channels as a “next generation Android app for tracking and controlling your device.” Its feature set includes full access to SMS and MMS messages, automatic SIM number retrieval, one-click message archiving, and comprehensive analytics via the web control panel. The emergence of HyperRat follows the introduction of similar MaaS kits like PhantomOS and Nebula, which offer comparable functionalities for a subscription fee. These platforms significantly lower the entry barrier for less experienced cybercriminals, allowing them to launch mobile spying or credential theft campaigns using pre-established infrastructures.

Users are urged to exercise caution by avoiding the sideloading of APKs from untrustworthy sources, verifying which applications are designated as the default for SMS, and regularly reviewing permissions for any applications requesting access to accessibility services or critical system settings.