Also known as: G700 RAT
Variants: CraxsRAT with SUNSPINNER decoy
Category: Malware
Type: Remote access trojan, backdoor, fileless malware, spyware
Platform: Android
Damage potential: Data theft, deployment of additional payloads (such as ransomware), remote control, and surveillance
Overview
CraxsRAT is a remote access trojan (RAT) that evolved from Spymax RAT (also known as SpyNote). When the Spymax RAT source code leaked in 2020, a developer known as “EVLF” (believed to be based in Syria) modified it to create a new cyber threat — CraxsRAT. Since then, the RAT has spread through such social media sites as Telegram, infecting users through phishing links and malicious APK files.
CraxsRAT allows malicious actors to take full control of infected machines, steal sensitive information through features like camera and microphone hijacking. CraxsRAT is especially dangerous because it can access SMS, contact lists, and files on mobile phones. In addition, victims can experience credentials leakage and see their funds withdrawn illegitimately. CraxsRAT also records and takes calls without the victim's consent, tracks the phone’s GPS location, and is capable of screen recording.
Possible symptoms
CraxsRAT tries to avoid detection, but you may notice some unusual symptoms, such as slower system performance. If your device becomes slower than usual or crashes frequently, running a system scan is a good idea.
Other signs to watch out for:
- Unauthorized access (like random apps running in the background or the webcam activating on its own).
- Unexpected pop-ups or system errors.
- New, unknown apps on your phone.
- Added or modified files or lower storage space.
Sources of the infection
CraxsRAT may infiltrate the device through:
- Malicious email attachments or links leading to infected APKs.
- Malicious websites or ads.
- Fake apps.
- Exploitation of vulnerabilities in software or systems.
Protection
The best way to protect yourself from CraxsRAT, or any malware for that matter, is to use common sense and stay alert for anything suspicious online. Follow general cybersecurity practices to stay one step ahead of the cyber threats:
- Do not click on suspicious links or attachments in emails, especially if they come from unknown senders.
- Keep your software updated to ensure you have the latest security patches.
- Download software only from official sources, like the app store or the developer’s website.
- Use security software like NordVPN’s Threat Protection Pro™ to block malicious websites and harmful ads.
CraxsRAT removal
CraxsRAT is designed to avoid detection, so removing this trojan may be challenging. While your best bet would be to perform a complete system wipe, you can also use mobile antivirus software to remove CraxsRAT from your Android device:
- Clear your phone’s browser cache.
- Boot your Android device into safe mode.
- Check the battery and internet usage for various applications. Delete those that drain the most battery and internet, especially if you don’t use them often.
- Restart your device.
You can also perform a factory reset on your Android. That should remove CraxsRAT (along with all the other data on your mobile device). After performing a factory reset, make sure to install all the latest software updates.
