SURXRAT Android RAT Enables Full Device Takeover and Data Exfiltration for Attackers

Home » News

Yash

News

2 min. read

Published on February 26, 2026

SURXRAT, a advanced Android Remote Access Trojan, grants attackers complete control over infected devices. It steals data like SMS, contacts, and files while adding ransomware locking. Sold as Malware-as-a-Service on Telegram with reseller tiers, it evolves from ArsinkRAT. Cyble reports: “SURXRAT uses Firebase for stealthy C2 and Accessibility abuse for persistence.”

Attackers lure users with fake apps via social engineering on SMS or social media. Once installed, SURXRAT seeks permissions for SMS, calls, location, storage, and camera. The key is Accessibility Services. Users enable it thinking it’s for app features. This lets malware read screens, log keystrokes, and fake taps.

Cyble tracked Telegram channels advertising V5. Pricing suits small operators. Firebase Realtime Database hides C2 traffic among legit app calls. Traditional AV struggles. As of February 26, 2026, samples appear on VirusTotal; scan devices

Exfiltration covers logs, history, and media. Active features snap photos, record audio, download files. Ransomware overlays full screens with custom PIN demands. Failed unlocks ping attackers live for pressure.

SURXRAT V5 advertisement on Telegram Channel (Source – Cyble)

This hybrid threat shifts from spy to extortion fast. Targets span personal banking fraud to enterprise spying. Rapid spread via MaaS boosts global risk.

Core Features Table

Category	Capabilities
Data Theft	SMS/contacts exfil, call logs, browser history, files
Surveillance	Remote camera/mic, screen capture, keylogging
Control	Fake inputs, overlays, command execution
Ransomware	Persistent PIN locker with live monitoring
Stealth	Firebase C2, Accessibility persistence

Pricing Plan for SURXRAT posted on Telegram channel (Source – Cyble)

Telegram Pricing Tiers

Tier	Price Range	Perks
Basic Reseller	Low entry	Custom APK builder
Partner	Mid-tier	Distribution tools, support
Enterprise	High	Full customization, priority C2

Ads show registered accounts for builders.

Attack Chain

Step-by-step infection.

Lure via phishing SMS/social.
Sideloading fake APK.
Permission prompts granted.
Accessibility enabled.
Beacon to Firebase C2.
Data flows; locker optional.

Telegram post indicating the registered accounts (Source – Cyble)

Defense Strategies

Layer protections.

Stick to Google Play; enable Play Protect.
Review Accessibility apps monthly.
Use MFA everywhere.
Update Android/OS promptly.
Deploy enterprise MDM with app vetting.
Scan with tools like Malwarebytes.

FAQ

What makes SURXRAT dangerous?

Full control via Accessibility, plus ransomware; MaaS spreads it wide.

How does Firebase help hide it?

Blends malicious traffic with normal app data.

Signs of infection?

Battery drain, odd permissions, Firebase network spikes.

Patch or fix available?

No; uninstall app, factory reset if locked. Vendor: Soliton? Wait, Android/Google Play advisories.

Targets who?

Android users globally via Telegram affiliates.

Yash

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links.

Improve this guide

User forum

0 messages

Sort by:

Core Features Table

Telegram Pricing Tiers

Attack Chain

Defense Strategies

FAQ

Leave a Reply Cancel reply