👇️Download here:👇️

Executive Summary: The Rise of Next-Gen Android Surveillance

The mobile landscape is no longer just a communication tool; it is a high-value target for sophisticated cyber adversaries. As users rely increasingly on smartphones for banking, identity, and daily operations, the threat of Remote Access Trojans (RATs) has escalated dramatically.

CraxsRAT, also known by analysts as G700 RAT, represents a potent evolution in this threat category. This sophisticated malware is designed not merely to infect a device, but to commandeer it completely, turning the victim's smartphone into a persistent, controllable surveillance platform for the attacker.

CraxsRAT originated from the publicly leaked source code of the Spymax RAT (SpyNote) back in 2020, allowing the threat actors to refine and enhance its capabilities significantly. The primary developer behind the modern iterations of this threat is identified as "EVLF," a group believed to operate out of Syria. The latest highly refined version identified by our research team is v7.5, released in April 2024, showcasing continuous and aggressive development.

Geographic Targeting and Infection Vectors

While CraxsRAT has a global footprint, our latest deep dive highlights a particularly aggressive campaign centered in Southeast Asia, specifically Singapore, beginning around April 2023. This campaign demonstrates a targeted, localized approach to maximize infection rates.

Impersonated Brands and Social Engineering

The attackers leverage local trust and familiarity by impersonating highly popular and essential local services. Victims are often tricked into installing the malware by believing they are downloading an update or a utility from a legitimate source.

• E-Commerce Platforms: Fake shopping applications.
• Local Services: Anti-scam centers and specialized utility apps.
• Food Delivery: Apps mimicking Grab & Go.
• Retail/Lifestyle: 1st Mall, SG-Furniture, and other regional brands.

Distribution Methodology

CraxsRAT is disseminated through multiple, highly effective channels:

• Phishing Links: Embedded in SMS messages or emails, leading to malicious download pages.
• Malicious APKs: Direct sideloading of the Trojan package, often disguised with legitimate-looking icons.
• Social Media Ads: Fake advertisements, particularly on platforms like Telegram, promising free content or discounts.

Technical Deep Dive: CraxsRAT Capabilities

CraxsRAT is not a simple data logger; it is a full-spectrum device controller. Its technical architecture allows EVLF to achieve comprehensive control over the infected Android device.

Device Control and Permissions Exploited

Upon successful installation, CraxsRAT demands and exploits maximum device permissions to achieve deep system access:

• Complete Remote Access (Backdoor): Allows real-time control and command execution.
• Communication Monitoring: Full access to SMS and Call logs (including recording capabilities).
• Media & Sensory Capture: Activation of Camera and Microphone at will.
• Location Tracking: Continuous GPS logging and monitoring.
• System Access: Full read/write access to the File System.
• Screen Recording: Capturing every action the user takes on the device.

Obfuscation and Infrastructure

The malware employs advanced techniques to evade detection and maintain persistent communication:

• Base64 Encoding: Used extensively to camouflage Command & Control (C2) server addresses and payloads, making signature-based detection difficult.
• Multi-Language Support: Supports English, Arabic, Turkish, and Simplified Chinese, confirming its diverse, global targeting strategy.
• C2 Infrastructure: The command servers are typically hosted on Windows Server 2019, with analysts noting the use of Chinese language settings, suggesting a potential operational hub or development origin.

Symptoms of Infection: Is Your Phone Infected?

If you or your organization's users are experiencing any of the following signs, the probability of a CraxsRAT infection is extremely high.

• System Degradation: Noticeable slowdowns in app loading, general sluggishness, and rapid battery drain.
• Unscheduled Activity: Unexpected pop-ups, banners, or the appearance of new, unknown applications.
• Resource Spikes: The device's internet usage appears high even when not actively browsing or streaming in the background.
• Sensory Activation: The camera or microphone lights activate seemingly randomly, even when the device is locked.

Protection and Removal Strategies

Effective defense requires a multi-layered approach, tailored to whether you are an individual user or an enterprise organization.

For Individuals: Stay Vigilant

• Source Verification: Only download applications from the official Google Play Store. Avoid sideloading APKs from untrusted websites.
• Permission Audit: Before installing, review all requested permissions. Be highly suspicious of apps requesting "Accessibility Services" if they are simple utilities (e.g., a flashlight app).
• Security Hygiene: Enable Two-Factor Authentication (2FA) on all critical accounts and ensure transaction alerts are active.
• Isolation: If possible, use a separate, dedicated device for high-value activities like banking.

For Organizations: Implement Defense-in-Depth

• Deployment: Mandate the use of Mobile Threat Defense (MTD) solutions across all corporate devices.
• Management: Utilize Mobile Device Management (MDM) to enforce security policies and monitor app behavior centrally.
• Training: Conduct regular, specific training sessions focused on phishing and recognizing local brand impersonations (e.g., fake Grab & Go).

Malware Removal Instructions

If infection is confirmed, follow these steps:

1. Safe Mode Boot: Boot the device into Safe Mode to prevent the malicious app from running and interfering with the cleanup process.
2. Identification: Use the battery usage monitor or recent app list to pinpoint the malicious application.
3. Removal: Uninstall the identified app. If uninstallation fails, use the device's built-in "Device Admin" settings to revoke its administrative rights first.
4. Cache Clearing: Clear the browser cache and system partition cache.
5. Last Resort: Perform a full Factory Reset. This is the most reliable method but requires a complete backup beforehand.

Conclusion: Never Assume Your Phone is Safe

CraxsRAT, in its current v7.5 iteration, is a testament to the relentless evolution of mobile threats. It represents a sophisticated pivot from simple spyware to a fully controllable, localized surveillance tool, with a clear focus on high-value targets in regions like Southeast Asia.

The consequences of infection—from targeted financial fraud to corporate espionage and complete personal surveillance—are severe. By staying vigilant, rigorously auditing app permissions, and deploying robust security tools, you can significantly mitigate the risk. Remember: the threat actors are always refining their code; always keep your operating system and apps updated.

Frequently Asked Questions (FAQ)

Can CraxsRAT steal banking credentials?

Yes, absolutely. CraxsRAT utilizes multiple methods for credential theft. It can capture data via keylogging (recording every keystroke), and more dangerously, it can execute overlay attacks—meaning it can place a fake, transparent login screen *over* the legitimate banking app, capturing credentials even if the user suspects the app is compromised.

Does factory reset remove CraxsRAT?

Yes, a factory reset will remove the CraxsRAT malware and all associated files and configuration settings, returning the device to a clean state. However, you must back up your data carefully first. If you restore your backup onto the newly reset device, and that backup file contains the malicious APK or the compromised application data, the infection could be reinfected immediately.