RadzaRat Android Trojan Evades Detection With Full Device Control
Category:Threat Alerts
RadzaRat is a newly discovered Android remote access trojan that currently shows zero detections across 66 antivirus engines on VirusTotal, giving attackers full control over infected devices. The malware masquerades as a legitimate file manager while enabling data exfiltration, keylogging via Accessibility Services, and persistent background execution. Its capabilities closely map to MITRE ATT&CK T1059 (Command and Scripting Interpreter), T1056 (Input Capture), and T1547 (Boot or Logon Autostart Execution). :contentReference[oaicite:2]{index=2} RadzaRat supports exfiltration of file system contents up to 10GB per transfer, enabling theft of photo libraries, corporate documents, database files, and locally cached credentials. Its command-and-control infrastructure uses Telegram bots to disguise malicious activity inside encrypted, legitimate traffic. Additional Render.com-hosted domains serve as intermediate staging points for stolen data. The malware’s distribution model lowers the barrier to entry: the APK is openly hosted on GitHub, while the developer—using the alias Heron44—markets the RAT on cybercrime forums as easy to deploy, requiring only a free Render server and Telegram bot token. The business risk is severe: RadzaRat provides attackers with unrestricted device-level surveillance, credential harvesting, and remote manipulation. Compromise of a single BYOD or unmanaged Android device can expose corporate accounts, cloud credentials, 2FA tokens, or sensitive internal documents. The zero-detection window increases the likelihood of large-scale infections before defenders can respond. Organizations relying on Android fleets face potential violations under GDPR, HIPAA, and PCI-DSS should stolen credentials lead to broader compromise. Mitigation requires immediate reinforcement of mobile security controls. Organizations should block sideloading, enforce app allowlisting, and deploy Mobile Threat Defense (MTD) tools tuned to detect behavioral indicators such as Telegram-based C2 patterns or Accessibility misuse. Android Enterprise work profiles help isolate sensitive data from personal applications, while monitoring for suspicious mobile access patterns enables early containment. Standard incident response procedures should include credential rotation and device quarantine following suspected compromise.
CORTEX Protocol Intelligence Assessment
Business Impact: RadzaRat introduces high-severity mobile security risk by enabling full compromise of personal and corporate Android devices. Credential theft and remote manipulation expose organizations to account takeover, data loss, and regulatory violations under GDPR or HIPAA. Technical Context: RadzaRat uses Telegram-based C2 channels, Render.com hosting, and Accessibility Services to achieve stealth and persistence. Its behaviors align with MITRE ATT&CK T1056, T1547, and T1059. The malware currently evades all VirusTotal engines, increasing exposure during initial distribution.
Strategic Intelligence Guidance
- Block sideloading and enforce app allowlisting on corporate and BYOD Android devices using MDM/EMM policies.
- Deploy mobile threat defense tools capable of detecting Telegram-based C2 traffic, Accessibility misuse, and unusual data exfiltration.
- Adopt Android Enterprise work profiles or containerization to separate work and personal data on employee devices.
- Rotate credentials and apply conditional access blocks when suspicious mobile activity or RAT behavior is detected.
Vendors
Threats
Targets
Impact
Data Volume:Up to 10GB exfiltration per transfer
Intelligence Source: RadzaRat Android Trojan Evades Detection With Full Device Control | Nov 25, 2025