Detecting Oblivion Android RAT: Accessibility Abuse, OTP Interception, and Mobile Threat Behavior

    Monday, April 6, 2026 In: Threat Research Print

    Date: 04/06/2026

    Severity: High

    Summary

    Oblivion Android RAT uses social engineering and fake update screens to trick users into installing a malicious app. It heavily abuses Android’s Accessibility Service to gain full control of the device and silently grant permissions. Once active, the malware can intercept SMS messages and OTP/2FA codes, log keystrokes, and monitor notifications. This enables attackers to perform account takeovers and financial fraud while remaining hidden. Overall, it highlights how modern mobile malware combines permission abuse, stealth techniques, and user deception to bypass security controls.

    Indicators of Compromise (IOC) List

    IP Address : 

    89.125.48.159

    Hash

    69a81fe8b53c1f5fa37363e32a2ed867a0c808776bdae155fc118c2de94a321a

    d60d067c1239ec7db222ec18f7b8e20d85dd29ca5e8d4ddd86c55047374c3c48

    fecf484b0fb268b1a6867057769a3e805abfc0b506cd022d37e0e50a9401714e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("89.125.48.159") or srcipaddress IN ("89.125.48.159")

    Detection Query 2 :

    sha256hash IN ("d60d067c1239ec7db222ec18f7b8e20d85dd29ca5e8d4ddd86c55047374c3c48","69a81fe8b53c1f5fa37363e32a2ed867a0c808776bdae155fc118c2de94a321a","fecf484b0fb268b1a6867057769a3e805abfc0b506cd022d37e0e50a9401714e")

    Reference:    

    https://gurucul.com/blog/detecting-oblivion-android-rat-accessibility-abuse-otp-interception-and-mobile-threat-behavior/


    Tags

    RATMalwareSocial EngineeringFinancial ServicesAndroid Malware

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.