This new Android malware can actively spy on you

Published: 22 November 2025
Last updated: 26 November 2025
Hackers, malware
Image by Cybernews.

A new remote access trojan can offer attackers remote access to your Android device and give them comprehensive surveillance capabilities.

RadzaRat is an Android remote access trojan (RAT), which was discovered by Certo’s researchers. It poses as a legitimate file manager application but actually allows cybercriminals comprehensive device access, including remote file management, keylogging capabilities, and persistent surveillance features, researchers say.

Most worrying of all? The malware currently has a detection rate of 0 out of 66 security vendors on VirusTotal, which means that no major antivirus or security solution identifies it. This is attributed to its recent emergence rather than some extremely advanced evasion features since it only appeared on November 8th, 2025.

ADVERTISEMENT

“Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson told Cybernews.

It takes time for security vendors to catch up with new vulnerabilities and threats – but that window presents a prime opportunity for cybercriminals to strike.

Curious what others think about this story? Contribute your thoughts to the debate below.

RadzaRat has gathered quite some popularity on underground cybercrime forums due to its reliance on free infrastructure services and minimal technical expertise needed to run it. Its developer, operating under the alias “Heron44”, advertises it exactly that way – as an easy remote access solution.

The advertisement claims that deploying RadzaRat requires three free resources: a server hosted on Render.com (a legitimate cloud platform), a Telegram bot for command and control operations, and installation of the malicious application on the target device with appropriate permissions granted, researchers say.

Based on the language and screenshots shown on GitHub, the developer likely originates from Poland.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us
ADVERTISEMENT

Anyone can download this malware, which is available through a public repository on GitHub.com. On top of that, the current version is not the final version of the product – there are references to an upcoming version 1.1, an upgrade from the current 1.0, meaning that RadzaRat is actively in development.

"What makes RadzaRat particularly dangerous is the combination of complete security vendor evasion and its public availability," said Simon Lewis, Co-founder of Certo Software. "The APK installer file is openly accessible, meaning anyone can download and deploy their own version. We're essentially watching a malware threat being distributed through the same platforms used for legitimate software development."

Researchers add that the system allegedly supports downloading files up to 10 gigabytes in size, which makes it suitable for stealing large media collections, document archives, or database files.

RadzaRat also has keylogging capabilities, meaning it’s able to see exactly what the victim types when using the device – exposing passwords, credit card numbers, personal messages, search queries, and any other data entered through the device’s keyboard. Researchers attribute its keylogging capabilities to Android’s Accessibility Service framework, which was designed for users with disabilities, but has become actively exploited by Android malware to monitor and control device interactions without requiring root access.

Researchers also noticed the presence of a MyDeviceAdminReceiver component, which can potentially grant malware administrator privileges. This would protect the malware from uninstallation and provide additional system-level capabilities.

With this malware and similar ones, users should be very cautious when granting accessibility service permissions, as well as handling requests to bypass battery optimization or gain device administrator privileges.

Even installing applications solely from official marketplaces like the Google Play Store will not necessarily protect you, so researchers recommend being cautious when it comes to granting any suspicious or extensive permissions to third-party applications.

Updated on November 26th [11:15 a.m. GMT] with a statement from Google.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT