{
	"id": "ede9af1f-d60a-4455-8eae-00acb9f797d7",
	"created_at": "2026-04-06T00:15:18.078057Z",
	"updated_at": "2026-04-10T03:30:33.181175Z",
	"deleted_at": null,
	"sha1_hash": "bb17dbae547da2c9638ea4dba2301453199ea9d3",
	"title": "DroidJack isn’t the only spying software out there: Avast discovers OmniRat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 168714,
	"plain_text": "DroidJack isn’t the only spying software out there: Avast discovers\r\nOmniRat\r\nBy Nikolaos Chrysaidos 5 Nov 2015\r\nArchived: 2026-04-05 22:32:15 UTC\r\nOmniRat is currently being used and spread by criminals to gain full remote control of devices.\r\nThere’s more than one RAT\r\nOn Friday, I discovered OmniRat, a program similar to DroidJack. DroidJack is a program that facilitates remote\r\nspying and recently made news when European law enforcement agencies made arrests and raided the homes of\r\nsuspects as part of an international malware investigation.\r\nOmniRat and DroidJack are RATs (remote administration tools) that allow you to gain remote administrative\r\ncontrol of any Android device. OmniRat can also give you remote control of any Windows, Linux or Mac device.\r\nRemote administrative control means that once the software is installed on the target device, you have full remote\r\ncontrol of the device.\r\nOn their website, OmniRat lists all of the things you can do once you have control of an Android, which include:\r\nretrieving detailed information about services and processes running on the device, viewing and deleting browsing\r\nhistory, making calls or sending SMS to any number, recording audio, executing commands on the device and\r\nmore.\r\nOmniRat\r\nLike DroidJack, OmniRat can be purchased online, but compared to DroidJack, it’s a bargain. Whereas DroidJack\r\ncosts $210, OmniRat costs only $25 to $50 depending on which device you want to control.\r\nYou may be asking yourself, “Why is software like this being sold on the Internet?”. According to DroidJack’s\r\ncreator, Sanjeevi, “Droidjack is a parental tool for Android remote administration,” but Europol has made it very\r\nclear that using software like DroidJack for malicious purposes can have major consequences. In an investigation\r\nsupported by Europol and Eurojust, law enforcement agencies in Europe and the U.S. arrested users of DroidJack.\r\nOmniRat variant in the wild\r\nA custom version of OmniRat is currently being spread via social engineering. A user on a German tech forum,\r\nTechboard-online, describes how a RAT was spread to his Android device via SMS. After researching the incident,\r\nI have come to the conclusion that a variant of OmniRat is being used.\r\nThe author of the post received an SMS stating an MMS from someone was sent to him (in the example, a\r\nGerman phone number is listed and the SMS was written in German). The SMS goes on to say “This MMS cannot\r\nbe directly sent to you, due to the Android vulnerability StageFright. Access the MMS within 3 days [Bitly link]\r\nhttps://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co\r\nPage 1 of 4\n\nwith your telephone number and enter the PIN code [code]“. Once the link is opened, a site loads where you are\r\nasked to enter the code from the SMS along with your phone number.\r\nOnce you enter your number and code, an APK, mms-einst8923, is downloaded onto the Android device. The\r\nmms-einst8923.apk, once installed, loads a message onto the phone saying that the MMS settings have been\r\nsuccessfully modified and loads an icon, labeled “MMS Retrieve” onto the phone.\r\nMMS Empfang app widget MMSempfang\r\nOnce the icon is opened by the victim, mms-einst8923.apk extracts OmniRat, which is encoded within the mms-einst8923.apk. In the example described on Techboard-online, a customized version of OmniRat is extracted.\r\nThe OmniRat APK requires users to accept and give OmniRat access many permissions, including edit text\r\nmessages, read call logs and contacts, modify or delete the contents of the SD card. All of these permissions may\r\nseem evasive and you may be thinking, “Why would anyone give an app so much access?”, but many of the\r\ntrusted and most downloaded apps on the Google Play Store request many of the same permissions. The key\r\ndifference is the source of the apps. I always recommend that users read app permissions carefully. However,\r\nwhen an app you are downloading directly from the Google Play Store requests permissions, it is rather unlikely\r\nthe app is malicious. I therefore advise you only download apps directly from the Google Play Store. If, like this\r\nin case, the app is downloaded from an untrusted source, users should be highly suspicious of the permissions\r\nbeing requested.\r\ncom.android.engine\r\nhttps://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co\r\nPage 2 of 4\n\nOnce installed, OmniRat gives full remote administrative control of the device to the attacker. Even if the victim\r\ndeletes the original “MMS Retrieve” icon installed with the mms-einst8923, OmniRat remains on the infected\r\ndevice. The victim then has no idea their device is being controlled by someone else and that every move\r\nthey make on the device is being recorded and sent back to a foreign server.\r\nFurthermore, once cybercriminals have control over a device’s contact list, they can easily spread the\r\nmalware to more people. Inside this variant of OmniRat, there is a function to send multiple SMS messages.\r\nWhat makes this especially dangerous is that the SMS spread via OmniRat from the infected device will\r\nappear to be from a known and trusted contact of the recipients, making them more likely to follow the link\r\nand infect their own device.\r\nWe know that the data collected by the customized version of OmniRat targeting the German person from the\r\nTechboard-online forum post is being sent back to a Russian domain, based on the command and control (C\u0026C)\r\nserver address the data is being sent to.\r\nRussiandomain The “.ru” server address tell us the data is being sent back to a Russian domain.\r\nThe left image above was taken from OmniRat’s Website and shows the audio data that is being extracted from the\r\nvictim’s device. The right image is of the custom version of OmniRat and shows the similarity of the data (and the\r\norder) that it is being gathered in and sent back to a Russian domain.\r\nhttps://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co\r\nPage 3 of 4\n\nIn the image above, we\r\ncan see all the dex classes of the second APK file that gather various information about the device and sends it\r\nback to the server.\r\nHow to protect yourself\r\nMake sure you have an antivirus solution installed on your smartphone to detect malware, like OmniRat.\r\nAvast detects OmniRat as Android:OmniRat-A [Trj].\r\nDo not open any links from untrusted sources. If an unknown number or email address sends you a link, do\r\nnot open the link.\r\nDo not download apps from unknown sources to your mobile device. Only download apps from trusted\r\nsources such as the Google Play Store or the Apple App Store.\r\nSource: https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-u\r\nsed-and-spread-by-criminals-to-gain-full-remote-co\r\nhttps://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co"
	],
	"report_names": [
		"droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434518,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bb17dbae547da2c9638ea4dba2301453199ea9d3.pdf",
		"text": "https://archive.orkl.eu/bb17dbae547da2c9638ea4dba2301453199ea9d3.txt",
		"img": "https://archive.orkl.eu/bb17dbae547da2c9638ea4dba2301453199ea9d3.jpg"
	}
}