New HyperRat Android Malware Sold as Ready-Made Spy Tool

Cybersecurity researchers at iVerify have identified a new Android remote access trojan (RAT) called HyperRat, being promoted on cybercrime forums under the malware-as-a-service (MaaS) model. The tool allows attackers to remotely control infected devices, collect sensitive data, and send mass phishing messages without writing a single line of code.

HyperRat operates as a paid subscription. Once a buyer joins, they receive a customised malicious APK and access to a web-based control panel managed by the seller. That panel lets operators monitor infected devices, send commands, and view logs, while the developer maintains the backend infrastructure. Researchers say this model shows a change in the underground Android malware market, where automation is now a key selling point.

****Web Control Panel and Device Management****

According to iVerify’s blog post, its researchers analysed screenshots from the control interface that show a dashboard listing infected phones by number, IP address, and recent activity.

From this panel, operators can open a VNC session, send SMS messages from the victim’s SIM, retrieve call logs, modify permissions, and download archived messages. One button labelled for mass messaging indicates the malware can also be used for spam or phishing campaigns, not just surveillance.

Another screenshot shows detailed permission management. HyperRat tells the operator which Android privileges are active, including internet access, call and SMS control, and auto-restart after reboot. It can also request accessibility permissions and bypass battery optimisation, techniques commonly used to maintain persistence on a device even after reboots or user interference.

HyperRat’s dashboard (Screenshot via iVerify)

****Application Scanning and Bulk SMS****

The malware can enumerate installed applications, giving the operator a full list of package names and app titles. This allows them to decide which apps to impersonate using phishing overlays. For example, if a banking or payment app is detected, HyperRat can trigger a fake login screen mimicking that service, harvest credentials, and then hand control back to the real app to avoid suspicion.

The control panel also includes a “Send to contacts” form that lets the attacker send phishing messages directly from the victim’s phone. Operators can select SIM slots, set message delays, and choose which contacts to target. Because these messages originate from legitimate devices, they often bypass carrier-level spam filters and reach more potential victims.

Telegram-Based Control

HyperRat integrates with Telegram bots for remote control and notifications. The operator can configure chat IDs and API tokens so that alerts and logs are delivered directly through Telegram chats. Using the encrypted messaging platform allows attackers to manage devices discreetly and avoid detection by security monitoring systems that rely on traditional command-and-control traffic patterns.

Custom APK Builder

A built-in APK builder lets the attacker generate a fake Android app with a spoofed name and icon. Options in the builder include hiding the app icon, intercepting notifications, enabling a SOCKS5 proxy, disabling battery optimisation, and launching a VNC module for remote screen access. The builder also supports WebView mode, enabling the app to disguise itself as a basic browser while quietly connecting to the attacker’s server.

What HyperRat malware can do (Screenshot via iVerify)

Advertising and Market Context

HyperRat is being marketed in Russian-language channels as a “next generation Android app for tracking and controlling your device.” Its feature list includes full access to SMS and MMS messages, automatic SIM number retrieval, one-click message archiving, and a web control panel with analytics.

The appearance of HyperRat follows other MaaS kits such as PhantomOS and Nebula, which provide similar capabilities for a monthly fee. These platforms lower the barrier for entry, allowing even inexperienced actors to run mobile spying or credential theft campaigns using prebuilt infrastructure.

Users should avoid sideloading APKs from untrusted sources, check which app is set as the default for SMS, and regularly review permissions for anything requesting access to accessibility services or system settings.