CraxsRAT is a sophisticated Remote Access Trojan (RAT) specifically designed to compromise Android devices . It is a "master tool" often used by threat actors to perform unauthorized remote control, data exfiltration, and financial fraud. Core Capabilities According to security researchers at Group-IB and Cyfirma , CraxsRAT provides attackers with near-total control over an infected device: Remote Control: Capture live screens, manipulate gestures, and execute remote commands in real-time. Data Theft: Steal SMS messages, call logs, contacts, and files. Surveillance: Secretly record audio/video via the camera and microphone, and track the device's location. Keylogging: Record every keystroke to harvest login credentials and sensitive messages. Security Bypass: Can disable Google Play Protect and intercept One-Time Passwords (OTPs), effectively bypassing Two-Factor Authentication (2FA) for bank accounts or crypto wallets. How It Operates Infection: Attackers typically disguise CraxsRAT as legitimate-looking apps (e.g., utility tools or fake banking apps) and distribute them through third-party websites or phishing links. Privilege Escalation: Once installed, the malware tricks the user into granting Accessibility Services permissions, which allows it to control the screen and read data from other apps without further user interaction. Command & Control (C2): The malware connects back to an attacker-controlled server using an encoded IP address found within the app's code. Protection & Mitigation To defend against CraxsRAT, experts suggest: Avoid Third-Party Apps: Only download applications from the official Google Play Store . Review Permissions: Be extremely cautious of apps that request "Accessibility Services" or "Device Administrator" rights. Use Security Software: Deploy mobile security solutions that utilize AI-based detection, such as those provided by Appdome , to identify and block RAT signatures. Regular Audits: Check for unfamiliar apps in your settings and monitor for unusual battery drain or data usage. Craxs Rat, the master tool behind fake app scams ... - Group-IB
Craxs RAT: The Most Dangerous Android Trojan of 2025 – How It Works, Its Features, and Protection Strategies In the rapidly evolving landscape of cybersecurity, few threats have generated as much concern among analysts and law enforcement as Craxs RAT . Unlike traditional malware that relies on exploiting software vulnerabilities, Craxs RAT is a legitimate (albeit malicious) Remote Access Tool designed specifically for Android. It is sold openly on the dark web and, disturbingly, even on the surface web via Telegram and specialized hacking forums. This article provides a deep dive into Craxs RAT: what it is, its advanced features, the distribution methods used by attackers, and—most importantly—how individuals and organizations can defend against it. What is Craxs RAT? Craxs RAT (Remote Access Trojan) is a powerful Android-based malware written in programming languages like Java and C++. It was created by a threat actor known as "EVLF" (or "Craxs," hence the name). First appearing in late 2021, the malware has undergone several iterations, with Craxs Rat v4 and v5 being the most notorious versions as of 2025. Unlike most trojans that have a fixed set of capabilities, Craxs RAT is a modular builder . This means that attackers (often called "customers" in the underground market) can purchase a license and then build their own customized version of the malware. They can choose which features to enable, craft the icon and name of the malicious app, and even select the payload delivery method. The Business Model: Malware-as-a-Service (MaaS) Craxs RAT is a prime example of the Malware-as-a-Service (MaaS) economy. The developer, EVLF, does not deploy the malware themselves. Instead, they sell subscriptions:
Lifetime License: ~$1,000 – $1,500 USD (varies by version) Monthly Subscription: ~$200 – $400 USD
This business model has democratized advanced hacking. Even individuals with no coding experience can purchase Craxs RAT, generate a malicious APK file, and begin targeting victims. The developer provides video tutorials, technical support, and regular updates. Key Features of Craxs RAT (Why It Is So Dangerous) What sets Craxs RAT apart from simpler malware like SpyNote or AhMyth is its sheer volume of invasive capabilities. Once installed, the RAT grants the attacker near-total control of the victim's device. 1. Advanced RAT (Remote Access) The attacker can view the victim’s screen in real-time (screen streaming), control the device using their own mouse and keyboard, and even bypass Android’s built-in screen recording detection. 2. Keylogging and Clipboard Hijacking Craxs RAT records every keystroke typed on the device and monitors the clipboard. This allows attackers to steal passwords, cryptocurrency wallet seeds, and private messages as they are typed. 3. Overlay Attacks (Phishing Screens) The malware can inject fake login screens (overlays) on top of legitimate apps like Gmail, WhatsApp, banking apps, or even crypto exchanges. When the victim enters their credentials, they are sent directly to the attacker. 4. SMS and Call Management craxs rat
Steal SMS: Read all text messages, including 2FA codes. Make calls from the victim’s number (used for toll fraud or impersonation). Forward calls and SMS to the attacker’s number.
5. File Management Attackers can browse the entire file system of the Android device, download photos/document, upload new malicious files, and delete data remotely. 6. Ransomware and Locking Craxs RAT includes a "ransomware module." The attacker can lock the victim’s screen with a custom message (e.g., "Your phone is locked. Pay $500 in Bitcoin to unlock") and even encrypt files on the external storage. 7. Persistence and Evasion
Persistence: The malware can survive factory resets by hiding in the system partition if the device is rooted. Evasion: It can hide its icon from the app drawer, disguise itself as a system app (e.g., "Android Update" or "Wi-Fi Service"), and even detect if it is running in a virtual machine or sandbox. CraxsRAT is a sophisticated Remote Access Trojan (RAT)
8. Location Tracking and Microphone Access Real-time GPS tracking and the ability to record ambient audio via the device’s microphone, turning the phone into a covert listening device. Distribution Methods: How Victims Are Infected Craxs RAT cannot spread by itself (it is not a worm). Attackers use social engineering to trick victims into installing the malicious APK manually. Common methods include:
Fake Apps on Third-Party Stores: Attackers repackage popular apps (e.g., VPNs, video editors, or modded games) with Craxs RAT and upload them to sites like APKPure, Aptoide, or random download portals. SMS Phishing (Smishing): Victims receive a text message claiming to be from a delivery service (DHL, FedEx, USPS) or a bank, containing a link to "track your package" or "verify your account." The link downloads the RAT. WhatsApp/Telegram "Nudes" or "Video Call" Tricks: Attackers send a message saying, "Hey, is this you in this video?" followed by a link to download a "codec" or "player" – which is actually Craxs RAT. Sexual Extortion (Sextortion): Attackers pose as interested dating partners and convince the victim to install a "secure chat app" or "photo locker" that is actually the RAT. Physical Access: In targeted attacks (corporate espionage or domestic abuse), the attacker gains brief physical access to the phone and installs the RAT manually.
The Role of Accessibility Services A key reason Craxs RAT is so potent is its abuse of Android Accessibility Services . When the victim first runs the app, it displays a fake error message claiming the app needs "Accessibility permission" to function correctly (e.g., "Enable this to save battery"). Once granted, accessibility services allow the malware to: Data Theft: Steal SMS messages, call logs, contacts,
Read everything on the screen (bypassing encryption). Automatically click buttons (e.g., to grant additional permissions like "Install unknown apps" or "Admin rights"). Prevent uninstallation by detecting when the user opens Settings and automatically pressing the "Back" button.
Who Is Targeted? While any Android user can be a victim, Craxs RAT is commonly used in three scenarios: