HyperRat – A New Android RAT Sold On Cybercrime Networks

The Android malware as a service market has matured. Even inexperienced attackers can now launch mobile campaigns with almost no effort. Tools like PhantomOS and Nebula offer silent app installation, two-factor interception, GPS tracking, and managed infrastructure for a few hundred dollars per month.

Attackers pay a subscription fee and receive a malicious APK, ready to deploy. The seller handles everything else, including backend servers and customized phishing pages. As demand grows, new kits are surfacing on underground forums more frequently.

One of the latest is HyperRat, a Russian-language Android remote access trojan we recently discovered. This post examines what the screenshots reveal about its features, how it compares to other MaaS tools, and what cybersecurity experts need to watch out for.

A Russian‑language control panel

The first screenshot shows HyperRat’s web-based command and control panel. The layout is simple and functional. The main table lists infected devices, showing phone numbers, tags, worker names, IP addresses, and timestamps. One listed device is labeled “SIM – Unknown (N/A)” with a U.S. IP address and a recent check-in. A set of colored buttons on the right shows available functions.

Operators can fetch logs, send notifications, dispatch an SMS from the infected user’s SIM, download archived messages, inspect the call log, view or modify granted permissions, browse installed applications, and even establish a VNC session. The presence of a mass-messaging button suggests this malware isn’t just for spying – it also facilitates downstream spam or phishing campaigns from compromised phones.

Permissions and data collection

The next image displays a modal entitled “Permissions for bot d8b14091c3b1f222,” showing which Android permissions have been granted. HyperRat clearly informs operators whether it can read or write call logs, place calls, send SMS or MMS, access the internet and run foreground services.

In this case, internet access and auto-restart after reboot are enabled, but call logs and SMS functionality are still disabled, perhaps because the phone owner has not yet granted certain accessibility permissions. The list shows how granular the malware’s control is: beyond collecting call and message data, it can request special accessibility privileges and bypass battery optimizations to remain persistent.

Enumerating installed applications

A subsequent screenshot reveals a table of installed applications on the infected user’s phone, complete with human-readable names and package identifiers. Tools like this enable threat actors to perform reconnaissance and choose which overlays or injections to deploy. For instance, seeing that Google Play Services or a banking app is present could prompt the operator to push a tailored phishing page mimicking that service.

Malware targeting mobile devices often hides behind legitimate-looking apps. Once installed, it can access SMS messages, call logs, location data, and the microphone. By scanning which apps are already on the device, attackers can decide which ones to impersonate and when to trigger fake permission prompts designed to look like system messages.

Bulk SMS campaigns

The fourth image depicts a "Send to contacts" form. Operators can choose contacts from the infected user's address book, select which SIM slot to use, and set a delay (in seconds) between each message. The text box allows for a custom payload, making it easy to send phishing links or scam messages.

Mass-SMS functionality is common among Android trojans because it allows them to self-propagate by luring the infected user’s friends into installing the malware. HyperRat provides a mechanism for large-scale SMS spam directly from the compromised device. This increases the chance of evading carrier filters because the messages originate from a legitimate subscriber rather than a bulk SMS gateway.

Telegram integration

Another screenshot shows the “Settings” section, which instructs the operator to create a Telegram bot via BotFather, obtain the chat ID and enter various tokens. Multiple fields allow separate chats for general notifications, SMS/call logs and other alerts. This design echoes the convenience offered by PhantomOS, where attackers can manage infected devices through a simple Telegram chat.

Using Telegram as a command channel provides anonymity and resilience: messages are encrypted and delivered through a mainstream platform, making traffic harder to distinguish from legitimate usage. While convenient for criminals, it infers the need for corporate mobile threat defense tools that can detect suspicious communication with untrusted bots and flag unusual data exfiltration patterns.

Building a customised Trojan

One of the more revealing screenshots shows the HyperRat APK builder. A yellow notice outlines the required and optional fields for generating a new malicious app. Each build gets a unique worker ID. The attacker sets the app name and icon, allowing it to appear harmless. Fields for a WebView URL and API domain suggest the app can pose as a basic web browser while quietly connecting to a remote server.

The builder includes toggles for hiding the app icon, intercepting notifications, enabling SOCKS5 proxy mode, disabling battery optimization, launching a VNC module for remote screen control, and setting the app as the default SMS client. All of these options are available in a single interface, making it easier for attackers to create custom Android spyware without needing to write any code.

Injection and overlay manager

Two related images show a dark‑themed “injection menu” used to configure phishing overlays. The operator can toggle injections on or off, specify the package name of the legitimate app they want to hijack (e.g., com.example.app) and provide a URL to load a fake login page. A search box pulls up installed applications; the dropdown lists Google One, YouTube and other packages.

The second variant of the screenshot demonstrates a search for “Amazon,” returning an entry for Amazon Flex (com.amazon.flex.rabbit), ready to be targeted. Once selected, HyperRat presumably displays a convincing overlay when the infected user opens the real app, capturing credentials before passing control back. This approach mirrors the tactics described in our previous research, where MaaS vendors supply libraries of fake login screens for banking and payment apps.

The ability to select any installed application and attach a fake webpage dramatically increases the malware’s flexibility. Attackers are no longer limited to pre-baked phishing templates; they can weaponize any brand that appears on the infected user’s phone. Combined with the builder’s WebView mode, HyperRat can open arbitrary websites inside the malicious app, presenting the user with a malicious version of a legitimate service.

Advertising the service

The official ad for HyperRat describes it as a "unique, next generation Android app for tracking and controlling your device." The brochure lists full access to SMS and MMS messages, monitoring of all call activity, one-click downloads of message archives, and automatic retrieval of the SIM card number. It also claims automatic prompts to become the default SMS app, support for autostart after reboot, icon hiding, a web-based control panel with API access, WebView mode, and the ability to run without root access.

The service includes an APK builder hosted on the developer’s server, a web panel for managing infected devices, options to send SMS messages, download data archives, manage multiple devices at once, and access analytics with ongoing updates. These features are in line with other malware as a service platforms. Nebula, for example, focuses on stealth, automated theft of SMS messages, call logs, and contacts, and is sold through subscription plans.

Stay protected with iVerify

HyperRat shows how Android malware kits are created and sold with advanced features, allowing even inexperienced attackers to run real campaigns. Spotting these threats early means understanding the tools, systems, and actions behind them.

iVerify Threat Intelligence monitors new mobile malware like HyperRat, PhantomOS, and Nebula as soon as they appear on underground forums. By combining this research with actionable indicators and device-level detections, iVerify helps organizations recognize attacks before they spread.

See Threat Intelligence in action and learn how your team can stay ahead of the next Android RAT to surface.