RadzaRat: New Android Trojan Disguised as File Manager Emerges with Zero Detection Rate

The Android malware-as-a-service (MaaS) ecosystem continues to evolve with increasingly sophisticated threats designed to evade security measures while maintaining operational simplicity for would-be attackers.

The emergence of RadzaRat, an Android remote access trojan (RAT) recently discovered by Certo’s researchers, exemplifies this troubling trend. What makes this threat particularly concerning is not just its capabilities, but its complete absence from security vendor detection lists and its brazen distribution through legitimate code hosting platforms.

Certo’s analysis of RadzaRat reveals a malicious application that masquerades as a legitimate file management utility while harboring extensive surveillance and remote control capabilities.

With a current detection rate of 0 out of 66 security vendors on VirusTotal, this malware represents a significant threat to Android users, particularly given its accessibility to threat actors with minimal technical expertise and its reliance on free infrastructure services.

Fig 1. The VirusTotal scan summary showing zero detections.

Underground Marketing and Distribution Model

RadzaRat is being actively marketed on underground cybercrime forums, where the threat actor behind the malware advertises its capabilities to potential buyers and collaborators.

The malware’s developer, operating under the alias “Heron44”, has positioned the tool as an accessible remote access solution that requires minimal technical knowledge to deploy and operate.

The distribution strategy reflects a troubling democratization of cybercrime tools. According to the forum advertisements, deploying RadzaRat requires only three free resources: a server hosted on Render.com (a legitimate cloud platform), a Telegram bot for command and control operations, and installation of the malicious application on the target device with appropriate permissions granted.

Perhaps most concerning is the malware’s availability through a public repository on GitHub.com. The compiled APK file is openly accessible, allowing anyone to download the malware.

The malware is currently at version 1.0, with references to an upcoming version 1.1, suggesting active development and potential feature enhancements. This indicates an ongoing commitment by the developer to maintain and improve the malware’s capabilities.

The developer likely originates from Poland based on the language used in the app and screenshots shown on GitHub.

Fig 2. The forum advertisement with a description and links.

Technical Capabilities and Features

Certo’s team analyzed RadzaRat’s technical implementation and found a multi-faceted threat with capabilities spanning surveillance, data exfiltration, and persistent remote control.

Remote File Management and Data Exfiltration

The core advertised functionality of RadzaRat centers on remote file system access and management.

The malware grants attackers comprehensive control over the infected device’s storage, enabling them to browse directories, search for specific files, and download data from the compromised device.

According to the developer’s claims, the system supports downloading files up to 10 gigabytes in size, indicating robust data exfiltration capabilities suitable for stealing large media collections, document archives, or database files.

Our analysis confirms the presence of dedicated file management activities within the application structure, specifically com.radza.macharadza.FileManagerActivity, which likely serves as both the legitimate-appearing interface and the underlying mechanism for remote file operations.

This dual-purpose design allows the malware to maintain its disguise as a functional file manager while executing malicious operations in the background.

Fig 3. The RadzaRat file manager interface.

Keylogging and Input Monitoring

Beyond file access, RadzaRat incorporates keylogging functionality designed to capture user input across the device.

This capability enables attackers to harvest sensitive information including passwords, credit card numbers, personal messages, search queries, and any other data entered through the device’s keyboard.

The keylogger functionality poses particular risks for users conducting sensitive activities such as online banking, accessing workplace systems, or communicating private information.

The technical implementation of the keylogger likely leverages Android’s Accessibility Service framework, as evidenced by the declared MyAccessibilityService component and the BIND_ACCESSIBILITY_SERVICE permission in the application’s manifest.

Accessibility services were designed to assist users with disabilities but have become a primary mechanism for Android malware to monitor and control device interactions without requiring root access.

Fig 4. RadzaRat requesting the Accessibility permission.

Command and Control Infrastructure

RadzaRat employs Telegram’s bot API as its command and control (C2) mechanism, an increasingly popular choice among Android malware developers.

Network analysis revealed connections to two distinct domains: telegram-bot-go-3hwv.onrender.com and telegram-bot-xftw.onrender.com both hosted on Render.com’s infrastructure.

These endpoints handle file upload operations through /upload and /upload_chunked paths, facilitating the exfiltration of stolen data to attacker-controlled Telegram channels.

This C2 approach offers several advantages from the attacker’s perspective. Telegram’s encrypted messaging provides a degree of operational security, while the platform’s widespread legitimate use makes malicious traffic less conspicuous.

Additionally, by utilizing Render.com’s free tier hosting, attackers can deploy infrastructure without financial investment or the need to maintain dedicated servers, further lowering operational costs and reducing traceability.

Fig 5. RadzaRat capturing keystrokes via Telegram.

Persistence and Anti-Termination Mechanisms

One of RadzaRat’s most problematic characteristics is its aggressive persistence mechanism.

According to the forum advertisement, the malware actively resists termination attempts by the operating system’s resource management functions.

Technical analysis of the malware’s permissions and components reveals multiple persistence mechanisms:

The RECEIVE_BOOT_COMPLETED and RECEIVE_LOCKED_BOOT_COMPLETED permissions, combined with a dedicated BootReceiver component, ensure the malware automatically launches whenever the device restarts. This guarantees the malware maintains its presence even after a device reboot, which users might attempt as a troubleshooting step.

The REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission allows RadzaRat to exempt itself from Android’s battery optimization features. This prevents the system from restricting the application’s background activity or placing it in a low-power state, ensuring continuous operation and responsiveness to remote commands.

The application also implements multiple foreground services (FOREGROUND_SERVICE, FOREGROUND_SERVICE_DATA_SYNC, FOREGROUND_SERVICE_MEDIA_PROJECTION), which receive preferential treatment from the Android operating system regarding process termination. These services make it significantly more difficult for the system to kill the application even under memory pressure.

Additionally, the presence of a MyDeviceAdminReceiver component suggests the malware may request device administrator privileges. Device admin status would further protect the malware from uninstallation and provide additional system-level capabilities.

Permissions and System Access

The malware’s AndroidManifest file declares an extensive array of permissions that collectively enable its malicious functionality:

Storage access permissions (READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, MANAGE_EXTERNAL_STORAGE) grant comprehensive access to all files on the device’s internal and external storage, including sensitive documents, photos, videos, and application data stored in shared storage areas.

The SYSTEM_ALERT_WINDOW permission enables the malware to display overlays on top of other applications, a capability commonly exploited for phishing attacks, credential theft through fake login screens, or obscuring security warnings.

Network permissions (INTERNET, ACCESS_NETWORK_STATE) facilitate communication with command and control servers and data exfiltration operations.

The WAKE_LOCK permission ensures the device remains active even when the screen is off, enabling continuous surveillance and data transmission without user awareness.

Stealth and Evasion Characteristics

Perhaps the most alarming aspect of RadzaRat is its complete evasion of security vendor detection. The malware’s APK file received a 0/66 detection rate when analyzed by VirusTotal, meaning not a single security product identified the application as malicious despite its clearly harmful capabilities.

This zero-detection status is likely attributable to the malware’s recent emergence rather than sophisticated evasion techniques. It was only made publicly available on November 8, 2025.

Security vendors typically require time to analyze new threats, develop signatures, and push updates to their detection engines. However, this window of invisibility provides a critical opportunity for attackers to compromise devices before security solutions catch up.

The malware’s certificate information reveals it was signed with Android’s default debug certificate (Common Name: “Android Debug”), indicating this is either a development build or the developer chose not to use a proper release certificate.

The behavioral analysis conducted in VirusTotal’s sandboxed environment detected several suspicious characteristics, though these did not trigger malware classifications.

The malware exhibited checks for CPU name, GPS functionality, and telephony services—reconnaissance activities commonly associated with malicious applications attempting to fingerprint the device or detect analysis environments.

Network connections were established to multiple IP addresses associated with Google services and content delivery networks, likely representing the Telegram API infrastructure and potential data exfiltration channels.

Implications for Android Security

The emergence of RadzaRat underscores several concerning trends in the mobile threat landscape. The malware’s zero-detection rate, even temporarily, demonstrates the ongoing challenge security vendors face in identifying and responding to new threats in real-time.

For users, this creates a dangerous window of vulnerability where malicious applications can operate undetected by conventional security solutions.

Low Barrier to Entry for Cybercriminals

The malware’s reliance on free infrastructure services (Render.com hosting and Telegram bots) highlights the low barrier to entry for modern cybercrime operations.

Aspiring threat actors no longer need technical expertise in server administration, network configuration, or custom C2 protocol development.

Free cloud platforms and messaging services have inadvertently become enablers of malicious activity by providing sophisticated infrastructure without cost or meaningful barriers.

Platform Responsibilities and Code Hosting Services

The public availability of RadzaRat through GitHub raises important questions about the responsibilities of these platforms in preventing the distribution of malicious software.

While code hosting services play a vital role in legitimate software development and collaboration, they also provide a convenient distribution mechanism for malware developers.

The question of whether these platforms could implement more robust screening mechanisms to identify and remove overtly malicious projects deserves serious consideration from both the security community and platform operators.

Risks to Individual Users

For potential victims, RadzaRat represents a significant threat to personal privacy and data security.

The combination of comprehensive file access, keylogging capabilities, and persistent operation means attackers could harvest virtually any information stored on or entered into the compromised device.

This includes personal communications, financial information, work documents, photos, videos, and authentication credentials for online services.

Organizational Security Concerns

Organizations face particular risks if RadzaRat compromises employee devices that access corporate resources.

The malware’s file management capabilities could enable the theft of confidential business documents, intellectual property, or customer data stored on mobile devices.

The keylogger functionality could capture corporate credentials, enabling lateral movement within organizational networks or unauthorized access to cloud-based business systems.

Fig 6. The RadzaRat app icon.

Protecting Against RadzaRat and Similar Threats

The characteristics of RadzaRat emphasize the importance of a multi-layered approach to Android security. Users should exercise extreme caution when granting accessibility service permissions, as these provide extensive control over device functionality and represent a primary mechanism for Android malware.

Similarly, requests to bypass battery optimization or gain device administrator privileges should trigger careful scrutiny of the requesting application.

Installing applications exclusively from official sources like the Google Play Store provides a baseline level of security, though it is not foolproof. Users should carefully review application permissions before installation and remain skeptical of file manager applications or utilities that request extensive permissions unrelated to their stated functionality.

For comprehensive protection against emerging threats like RadzaRat, specialized mobile security solutions offer critical advantages.

Certo AntiSpy provides advanced malware detection capabilities specifically designed for mobile platforms, offering protection against RadzaRat and thousands of other Android threats.

Conclusion

RadzaRat represents a concerning evolution in the Android malware ecosystem—a capable remote access trojan distributed through legitimate platforms, requiring minimal resources to deploy, and currently evading detection by all major security vendors.

Its disguise as a functional file manager, combined with extensive surveillance and data exfiltration capabilities, makes it a significant threat to individual users and organizations alike.

The malware’s public availability and active marketing on underground forums suggest it may gain traction among cybercriminals seeking accessible tools for device compromise and data theft.

As security vendors update their detection engines and RadzaRat variants potentially emerge, the threat landscape will continue to evolve.

The case of RadzaRat also highlights broader questions about the role of cloud service providers and code hosting platforms in the distribution of malicious software.

As the security community works to track and neutralize this threat, the collaboration between security researchers, platform providers, and users remains essential for maintaining effective defenses against the constantly evolving mobile malware landscape.