A new Android malware threat known as RadzaRat is circulating with a startling twist: despite its extensive surveillance and remote-control capabilities, it currently registers zero detections across 66 security vendors on VirusTotal.
The malware, discovered by researchers at Certo, masquerades as a legitimate file manager while enabling attackers to exfiltrate data, harvest keystrokes, and remotely control infected devices.
“Its disguise as a functional file manager, combined with extensive surveillance and data exfiltration capabilities, makes it a significant threat to individual users and organizations alike,” said researchers.
How RadzaRat Works
RadzaRat operates as a fully featured remote access trojan (RAT), giving attackers broad and persistent control over compromised Android devices.
Once installed, the malware enables complete access to the file system, allowing operators to browse directories, search for specific files, and exfiltrate data — supporting transfers as large as 10GB.
This makes RadzaRat suitable for stealing entire photo libraries, document archives, database files, or corporate repositories stored locally on the device.
Keylogging and Input Capture
In addition to file theft, the trojan includes a built-in keylogger powered by Android’s Accessibility Services framework.
By abusing Accessibility privileges — which were designed to assist users with disabilities — RadzaRat can capture every keystroke entered on the device, including passwords, banking credentials, personal messages, and authentication details for cloud or enterprise systems.
Command and Control (C2) via Telegram
The malware’s command-and-control (C2) infrastructure is built around Telegram bots, a tactic increasingly used by Android malware authors.
By piggybacking on Telegram’s encrypted standard traffic, RadzaRat hides malicious communications inside a widely used, legitimate messaging platform — making C2 traffic blend in with normal user behavior.
Network analysis also revealed two Render[.]com-hosted domains that serve as intermediate upload points for stolen data.
Render’s free hosting tier allows RadzaRat operators to deploy infrastructure without cost or risk of attribution, providing an operational advantage to attackers with limited resources.
Distribution and Accessibility on Public Platforms
What makes RadzaRat especially accessible to low-level threat actors is its distribution model.
The malware is openly advertised on underground cybercrime forums by a developer using the alias Heron44, who positions the tool as easy to operate — even for individuals with little to no malware development experience.
The compiled APK is hosted in a public GitHub repository, meaning anyone can download and install the malicious app with no barriers.
To deploy RadzaRat, operators need only a free Render[.]com server, a Telegram bot token, and the APK installed on a target device with the necessary permissions granted.
This “plug-and-play” approach represents a troubling democratization of mobile malware development and distribution.
Persistence Techniques
RadzaRat also demonstrates substantial persistence capabilities, making removal difficult for both users and automated mobile defenses.
Certo’s analysis found evidence of a BootReceiver component and permissions such as RECEIVE_BOOT_COMPLETED, ensuring the malware restarts automatically every time the device boots.
The app requests exemptions from Android’s battery optimization features, preventing the operating system from restricting its background activity.
RadzaRat also declares multiple foreground services — which receive preferential treatment under Android’s resource management rules — and may request device administrator privileges, enabling it to block uninstallation attempts.
Together, these mechanisms ensure the malware remains active, resilient, and responsive to attacker commands.
The trojan also increases its stealth by using permissions like SYSTEM_ALERT_WINDOW to display phishing overlays and WAKE_LOCK to keep the device active for continuous data capture and communication.
Despite these behaviors, the APK currently maintains a 0/66 detection score on VirusTotal, meaning no major mobile security product recognizes it as malicious.
Although this is likely due to its recent emergence rather than advanced evasion, the effect is the same: attackers have a dangerous window of opportunity where RadzaRat can compromise devices entirely undetected.
While RadzaRat is not associated with a specific exploit chain — so no CVE applies — the sophistication of its capabilities, combined with its ease of deployment and lack of antivirus detections, positions it as a concerning new Android threat.
How Organizations Can Harden Their Mobile Ecosystems
As threats like RadzaRat demonstrate, mobile devices have become a prime target for attackers looking to harvest credentials, exfiltrate data, and gain persistent access to corporate environments.
Organizations that rely on Android devices — whether through BYOD programs or fully managed fleets — must adopt layered defenses to counter increasingly stealthy and accessible mobile malware.
- Restrict high-risk permissions — especially Accessibility Services, device admin access, and overlay capabilities — and monitor devices for apps requesting them.
- Block sideloading and enforce app allowlisting on managed devices to prevent installation of unvetted APKs from GitHub, forums, or direct links.
- Use MDM/EMM controls to detect and block suspicious apps, enforce minimum OS versions, and require secure configurations such as screen locks and encryption.
- Deploy mobile threat defense solutions that identify behavioral indicators like keylogging, abnormal network traffic, or Telegram-based command-and-control activity.
- Separate work and personal data using Android Enterprise work profiles or containerization to limit corporate exposure if a device is compromised.
- Monitor mobile access to corporate systems for unusual behavior, rotate credentials quickly after suspected compromise, and apply conditional access rules to block unhealthy devices.
- Update incident response plans to include mobile-specific threats, conduct periodic mobile threat hunting, and strengthen BYOD security requirements across the organization.
These steps help build cyber resilience for mobile devices in your ecosystem.
RadzaRat highlights a growing shift in the mobile threat landscape, where attackers increasingly rely on free cloud hosting, encrypted messaging platforms, and public code repositories to build and distribute powerful Android RATs with minimal effort.
This democratization of mobile malware allows even low-skilled threat actors to deploy sophisticated surveillance tools capable of compromising both personal and corporate data.
As adversaries continue to exploit these unregulated ecosystems — and as mobile devices play a larger role in business operations — organizations must prioritize mobile-first security strategies, strengthen behavioral detection capabilities, and enforce tighter controls around permissions, app installations, and device management.
These evolving mobile threats make it clear that organizations need to adopt zero-trust principles to better secure devices, data, and access across their environments.
