Oblivion Android RAT: Captures SMS, 2FA and Bypasses Protection Mechanisms up to Android 16

General
1

Oblivion Android RAT: Steals SMS, 2FA Codes, and Evades Security Mechanisms Up to Android 16

In the ever-evolving landscape of mobile cybersecurity threats, a new Remote Access Trojan (RAT) dubbed Oblivion has emerged as a sophisticated menace targeting Android devices. This malware, detailed in recent security research, demonstrates alarming capabilities in intercepting sensitive SMS messages—including two-factor authentication (2FA) codes—and circumventing protective measures across Android versions up to the latest Android 16. Discovered by cybersecurity firm ThreatFabric, Oblivion represents a significant escalation in Android malware sophistication, posing risks to users worldwide through its stealthy persistence and data exfiltration tactics.

Oblivion operates primarily as a trojanized application, often masquerading as legitimate apps such as PDF readers, video players, or utility tools distributed via unofficial channels like Telegram bots and phishing sites. Once installed, it requests extensive permissions, including accessibility services, SMS read access, and notification overlays, which it exploits to maintain control. The malware’s core functionality revolves around real-time interception of incoming SMS messages. By leveraging Android’s Accessibility Services—a feature intended for users with disabilities—Oblivion gains the ability to read and forward SMS content to its command-and-control (C2) servers without user notification.

One of Oblivion’s most insidious features is its 2FA bypass mechanism. Traditional 2FA relies on time-sensitive codes delivered via SMS, but Oblivion neutralizes this by capturing codes instantaneously upon receipt. The malware scans SMS for patterns typical of 2FA (e.g., six-digit numeric sequences) and relays them to attackers in real-time. This allows cybercriminals to hijack login sessions on banking apps, email services, and cryptocurrency exchanges before users can react. ThreatFabric reports that Oblivion has been observed targeting high-value accounts, with exfiltrated data including full SMS threads, contact lists, and device identifiers.

What sets Oblivion apart from predecessors like Ermac or Octo is its evasion prowess against modern Android defenses. Android 14 and 15 introduced hardened restrictions on sideloaded apps and accessibility abuse, yet Oblivion employs layered obfuscation techniques to persist. It uses Frida-based instrumentation to hook into system processes, dynamically injecting code to disable Google Play Protect scans and tamper with SafetyNet/Play Integrity API checks. On Android 16, which promises enhanced runtime protections and scoped storage, Oblivion reportedly exploits zero-day-like flaws in the notification system and overlay permissions to maintain visibility.

The infection chain begins with social engineering: victims are lured via SMS or Telegram with links to fake apps promising free premium content. Upon installation, Oblivion requests “Update Accessibility Service” prompts, which, if granted, unlock its full payload. Post-infection, it establishes persistence by registering as a device administrator (where possible) and scheduling background tasks via WorkManager or AlarmManager APIs. Communication with C2 servers occurs over HTTPS with domain generation algorithms (DGAs), rotating endpoints hosted on bulletproof infrastructure in regions like Russia and Eastern Europe.

Key technical capabilities include:

  • SMS Interception and Exfiltration: Full read access to SMS inbox, with selective forwarding of 2FA patterns. Supports regex matching for codes from services like Google Authenticator alternatives or bank OTPs.

  • Keylogging and Screen Capture: Accessibility hooks capture keystrokes and screenshots, aiding credential theft from secure apps.

  • Clipboard Monitoring: Scans copied content for sensitive data like tokens or wallet addresses.

  • Geolocation and Device Info Harvest: Collects IMEI, IP address, and GPS data for profiling victims.

  • Ransomware Elements: In advanced variants, it encrypts files and demands ransom via Telegram.

ThreatFabric’s analysis reveals Oblivion’s modular architecture, with plugins downloadable from C2 for tasks like banking trojan overlays or ad fraud. The malware evades static detection by packing payloads with custom crypters and using anti-analysis tricks like emulator detection and debugger traps. Dynamic analysis is thwarted through self-deletion routines and traffic encryption mimicking legitimate app behavior.

Mitigation strategies are critical given Oblivion’s spread. Users should disable accessibility services for untrusted apps, enable Google Play Protect, and use app verification tools like Aurora Store for sideloading. Hardware security keys or authenticator apps represent superior 2FA alternatives to SMS. Enterprises must enforce MDM policies restricting sideloads and monitor for anomalous accessibility grants. Antivirus solutions with behavioral detection, such as those from ThreatFabric or Malwarebytes, have begun signature updates for Oblivion families.

The emergence of Oblivion underscores the fragility of SMS-based security in an era of advanced persistent threats. As Android 16 rolls out with promises of fortified runtime integrity, malware authors continue to probe for weaknesses, highlighting the need for proactive defenses. Security researchers urge vigilance, particularly in regions with high Telegram usage, where Oblivion campaigns have spiked.

Gnoppix is the leading open-source AI Linux distribution and service provider. Since implementing AI in 2022, it has offered a fast, powerful, secure, and privacy-respecting open-source OS with both local and remote AI capabilities. The local AI operates offline, ensuring no data ever leaves your computer. Based on Debian Linux, Gnoppix is available with numerous privacy- and anonymity-enabled services free of charge.

What are your thoughts on this? I’d love to hear about your own experiences in the comments below.