Cyber Android RAT: Inside the Latest MaaS Being Sold on Underground Forums

The market for Android malware-as-a-service has grown dramatically in recent years, lowering the technical barrier for cybercriminals who want to surveil, defraud, or steal from mobile device users.

Where sophisticated attacks once required custom development, today’s threat landscape is shaped by polished, commercially packaged tools sold openly to anyone willing to pay.

Certo’s research team has identified a new and particularly capable entry into this market: a full-featured Android Remote Access Trojan (RAT) advertised on clear-web hacking forums under the name Cyber Android RAT, backed by a command-and-control platform called Cyber Nebula Core.

The tool is being marketed by a threat actor operating under the ‘Cyber’ brand, a seller with an extensive and escalating history of developing and distributing malicious software.

Priced between $499 for a one-month licence and $2,500 for lifetime access, the RAT is positioned as a premium product aimed at serious buyers.

What sets Cyber Android RAT apart is the breadth of its capabilities: real-time device surveillance, automated cryptocurrency theft, WhatsApp extraction, keylogging, and a hidden virtual network computing (hVNC) implementation — all managed through a professionally designed graphical control panel.

This article presents a technical breakdown based on analysis of the malware’s advertised features, control panel screenshots, and live demonstration footage.

Malware Overview

Cyber Android RAT is advertised openly on a clear-web cybercrime forum, targeting buyers who want remote, covert access to Android devices. The seller markets it as ‘the most advanced Android RAT in the market, coded from scratch by a professional team’.

The command-and-control infrastructure is bundled into a desktop application called Cyber Nebula Core (v6.0), which buyers use to manage compromised devices, build malicious APKs, and steal victims’ data in real time.

The pricing reflects a professional software-as-a-service model: one month costs $499, a yearly licence is $1,499, and lifetime access is $2,500. Payment is accepted in Bitcoin and USDT.

Support is offered via Telegram and direct forum messaging, with live demonstrations available to prospective customers. The tool claims full support for all Android versions with no indication of regional targeting, suggesting it is intended for global deployment.

Fig 1. Part of the forum post advertising the RAT.

Technical Capabilities

Remote Control and Screen Access

The control panel’s main dashboard provides operators with a live overview of all compromised devices. Each entry shows the victim’s IP address, geographic location, device model, Android version, and the status of key capabilities including camera access, cryptocurrency app detection, and whether the Accessibility service is active.

Two distinct remote access modes are available. The first is live screen streaming which allows the operator to watch everything the victim does on their phone. The second is Hidden VNC (hVNC), which allows the operator to take full control of the device and use it as if they physically had it in their hands, while being completely invisible to the user.

A screenshot from the hVNC module shows a real Samsung device’s home screen being accessed with no visible indication on the phone itself. This dual-mode approach allows attackers to observe users passively or interact with the device independently — opening apps and executing transactions while the victim uses their phone normally.

 

Fig 2. Example of an infected Samsung phone being remotely controlled.

Cryptocurrency Theft and ATS Automation

Perhaps the most technically sophisticated feature is the automated cryptocurrency theft system. The Crypto Detector module targets wallets on the device — specifically MetaMask and Binance — and launches what appears to be an Automated Transfer System (ATS).

Screenshots of the module in operation show a multi-step automation log that detects when MetaMask is active, captures the user’s password character by character, reads the wallet balance, and initiates a seed phrase extraction sequence.

This is not a simple overlay attack, it is a programmatic automation that navigates the legitimate app interface to steal credentials without any visible phishing page. The ‘View Saved Seeds’ button in the interface confirms that extracted seed phrases are stored and accessible to the operator at any time.

Fig 3. Cyber Android RAT’s “Crypto Detector”.

Keylogging and Messaging Extraction

The keylogger runs continuously in the background, capturing every keystroke entered on the device and tagging it with the originating application. This allows it to capture chats from encrypted messaging apps, such as Telegram.

Furthermore, a dedicated WhatsApp Extraction Module silently reads the victim’s full conversation history. One screenshot shows 80 messages extracted from 7 chats on a target device. Unlike keylogging, which captures future input, this module retrieves historical message data the moment the victim opens WhatsApp.

Fig 4. Cyber Android RAT’s keylogger spying on Telegram messages.

Surveillance Capabilities

Cyber Android RAT includes comprehensive passive and active surveillance features. Live microphone streaming enables silent ambient audio monitoring, while the camera module supports real-time video and high-resolution photo capture from both front and rear cameras. This works even when the phone’s screen is off.

A notification interceptor captures every notification on the device, including messages from WhatsApp, Gmail, and banking apps. A GPS module provides real-time location data with path history on an interactive map.

Fig 5. The RAT surveilling WhatsApp messages.

File System and Application Intelligence

The file explorer provides full access to the victim’s internal storage and SD card, with the ability to download, upload, and delete files. Screenshots show the full directory structure of a compromised device — including DCIM, Documents, Downloads, and Pictures — all accessible remotely.

An installed application scanner enumerates every app on the device, categorizing them by type: messaging, social, finance, crypto, browser, and email. One screenshot from a compromised device shows 525 installed applications, all catalogued and searchable. The crypto and finance filters allow operators to quickly identify high-value targets.

Fig 6. Cyber Android RAT’s file explorer feature.

Technical Implementation

The Cyber Nebula Core builder allows operators to configure the malware’s name, target host, and port before generating a malicious APK. A “Dropper” option embeds the payload inside a benign-looking application to pass initial scrutiny, while a package name randomization feature makes each sample unique to evade signature-based detection.

The malware can impersonate a convincing ‘System Update’ application styled as a Google Play listing, complete with a fabricated 4.8-star rating. This social engineering layer tricks users into granting permissions by disguising the install as a routine update.

Fig 7. Fake ‘System Update’ app created with Cyber Nebula Core.

Central to the malware’s persistence is its abuse of Android’s Accessibility Services. The control panel tracks whether Accessibility permission has been granted per device, alerting the operator the moment it is.

Once obtained, these permissions are used to block uninstallation, programmatically dismissing any attempt to remove the app.

The C2 server is configured via the Settings panel, with operators specifying a listening IP and port. Real-time notifications alert the operator when a new device connects, a client disconnects, or Accessibility permission is newly granted.

A Serial Cybercriminal: The ‘Cyber’ Threat Actor

Cyber Android RAT is not an isolated product, it is the latest in a sustained series of malware tools released by a single threat actor operating under the ‘Cyber’ brand. Their forum history reveals a pattern of development spanning at least nine months across multiple platforms and attack types.

The actor first appeared in May 2025 with Cyber Botnet, an HTTP-controlled botnet with over 475 advertised capabilities including credential theft, DNS spoofing, DDoS, and silent cryptomining.

By August 2025, the portfolio had grown to include Cyber Loader (a rootkit-integrated delivery tool with AV/EDR evasion) and Cyber LNK Exploit (a Windows shortcut-based mechanism designed to bypass Windows Defender).

December 2025 saw four rapid releases: Cyber Logs (a Telegram-based credential stealer), Cyber RAT (a Windows RAT with over 100 features), Cyber Crypter (a tool for building executables that are not detected by antivirus), and Cyber Stealer (targeting cryptocurrency seed phrases).

In January 2026, the actor released a kernel-level file encryption exploit claiming to evade detection by over 170 antivirus products.

February 2026 brought ClickFix Pages, customizable phishing infrastructure designed to bypass Microsoft SmartScreen.

Cyber Android RAT represents a strategic expansion onto the Android platform, rounding out a toolkit spanning Windows malware, delivery infrastructure, antivirus evasion, social engineering, and now mobile surveillance.

Recurring themes across all products include cryptocurrency theft, Telegram-based C2, and a polished commercial sales model with post-sale support.

Impact and Implications

Cyber Android RAT poses a serious threat to anyone with cryptocurrency holdings or mobile banking apps. The combination of ATS-based wallet draining, seed phrase extraction, and banking notification interception can cause significant and largely irreversible financial harm.

Because the malware disguises itself as a system update and uses Accessibility services to block removal, victims may not realize they have been compromised until it is too late.

The tool’s accessible pricing and professional support structure risk bringing sophisticated mobile surveillance to a far wider range of threat actors. The MaaS model means buyers need no technical knowledge, only access to the panel.

The WhatsApp extraction, microphone streaming, and notification interception features also make this tool attractive beyond financial crime — including stalkerware, corporate espionage, and targeted harassment. Anyone receiving an unexpected Accessibility permission request from an unfamiliar app should treat it with serious suspicion.

Conclusion

Cyber Android RAT, packaged within the Cyber Nebula Core platform, is a technically capable and professionally marketed threat that deserves serious attention from the security community.

Its automated cryptocurrency theft, hidden remote access, persistent anti-uninstall protections, and comprehensive surveillance capabilities combine to form a tool that poses real risk to Android users worldwide — particularly those with cryptocurrency holdings or sensitive communications on their devices.

The threat actor behind it has demonstrated a consistent ability to develop, iterate, and sell complex malware across multiple platforms. Their expansion into Android represents a broadening of scope that security researchers and defenders should track closely.