Oblivion is malware for Android which is sold in subscription in hacking forums, starting with $300 a monthand promises those who buy it remote and invisible control of almost any Android smartphone out there. We are not talking about a simple virus, but about a RAT (Remote Access Trojan), that is, of a remote access trojan: A category of malware designed to allow an attacker to observe and control a device remotely without the user realizing it. The analyzes conducted by security researchers at Sure Software (cybersecurity company) indicate that Oblivion is not yet another recycled tool from the cybercriminal underworld, but a platform developed from scratch, curated and designed to systematically bypass many of the protections introduced in recent years by Android.

The malware is openly promoted on hacking forums, accompanied by demonstration videos, and targets operating system versions from Android 8 to Android 16effectively covering almost all devices currently in circulation. Its danger does not lie in a single revolutionary function, but in the combination of several elements: easy installation through social engineering, automatic granting of sensitive permissions, hidden remote control, widespread data collection and a persistence that makes the extremely complex removal. What makes the situation even more critical is the “turnkey” commercial model: those who pay do not receive the source code of the malware, but continuous access to a simple to use service, which drastically lowers the technical threshold necessary to conduct advanced cyber attacks. Let’s see in more detail how Oblivion works and how to defend yourself.

How Oblivion malware works

Oblivion arrives on your device through a dropperwhich is a seemingly harmless application whose sole purpose is install the actual malware. The system exploits social engineering techniques, that is, the psychological manipulation of the user, showing fake update notices which imitate those of the Google Play Store and invite you to enable installation from “unknown sources”a feature that allows you to install apps outside of the Play Store itself. Once installed, the most technically relevant aspect comes into play: theautomatic assignment of permissions. Normally Android requires explicit consent for critical permissions such as services Accessibilitya function created to help people with disabilities interact with their smartphone. However, if abused, this service allows you to read what appears on the screen, simulate touches, intercept what you type and even block security windows before they are visible. Oblivion, according to the analyzed demonstrations, manages to obtain these privileges without any user interaction and even on customized software interfaces, such as those of Samsung, Xiaomi And OPPO.

Remote control is via VNC (Virtual Network Computing), a legitimate technology for the remote management of devices, however declined in modality HVNC which, as security researchers explain, is nothing other than «a version (of VNC) that runs a completely separate, hidden session that is not visible to the user». While a convincing “system update” animation appears on the screen, the attacker operates in the background. Thanks to these abilities, Oblivion can read and send SMS, intercept two-factor authentication codesrecord each input via a keyloggers (software that captures what is typed on the keyboard), access files and installed apps And automatically unlock your phone even after a reboot. Persistence is guaranteed by self-recovery mechanisms and complete hiding of the app and processes, making many manual removal attempts ineffective.

The fake Android update screen (left) actually hides a hijacked session (right). Credit: Certo Software.



How to defend yourself

For defend yourself from Oblivion you don’t have to do anything: in many cases it should be sufficient to follow some basic safety rules, which we list below.