Craxs Rat

A key reason Craxs RAT is so potent is its abuse of Android Accessibility Services. When the victim first runs the app, it displays a fake error message claiming the app needs "Accessibility permission" to function correctly (e.g., "Enable this to save battery").

Once granted, accessibility services allow the malware to:

Because Craxs RAT can hide its icon, detection is not always straightforward. Here are signs of infection: craxs rat

Technical Indicators:

Standard features include GPS tracking, ambient audio recording via the mic, and taking pictures using the front/back camera without the shutter sound. A key reason Craxs RAT is so potent

Craxs RAT (Remote Access Trojan) is a powerful Android-based malware written in programming languages like Java and C++. It was created by a threat actor known as "EVLF" (or "Craxs," hence the name). First appearing in late 2021, the malware has undergone several iterations, with Craxs Rat v4 and v5 being the most notorious versions as of 2025.

Unlike most trojans that have a fixed set of capabilities, Craxs RAT is a modular builder. This means that attackers (often called "customers" in the underground market) can purchase a license and then build their own customized version of the malware. They can choose which features to enable, craft the icon and name of the malicious app, and even select the payload delivery method. ambient audio recording via the mic

Craxs RAT cannot spread by itself (it is not a worm). Attackers use social engineering to trick victims into installing the malicious APK manually. Common methods include: