The Cypher RAT is a potent mobile threat, targeting Android devices. To be more precise, the threat is classified as a Remote Access Trojan (RAT). If successfully deployed on the victim's Android device, the Cypher RAT can perform a wide range of intrusive actions, with the exact consequences for each victim likely depending on the specific goals of the threat actors. After all, the Cypher RAT is being offered for sale by its developers to any interested cybercriminals. The price for access to the Cypher RAT is $100 per month, $200 for three months and $400 for a lifetime license.
Once activated on the Android device, the Cypher RAT can manipulate the file system by renaming, deleting, editing, copying and moving the existing files. The threat also can be used to upload and collect chosen files or fetch and deploy additional, corrupted payloads. The attackers can change the current wallpaper, access the call log, delete calls, access the SMS list and delete them, establish keylogging routines that will capture each tapped button, access and modify the victim's contact list, activate chosen applications and more.
However, the threatening capabilities of the Cypher RAT do not stop there. The threat can monitor the clipboard of the device and substitute the information saved there. This functionality is typically used to switch saved crypto-wallet addresses to ones belonging to the attackers. This way, victims may not realize that they have pasted an address that is different from the intended and the transferred funds will be sent to the account of the cybercriminals.
In addition, the Cypher RAT can establish control over the device's camera and microphone, make recordings, take photos, track the device's geolocation, show messages, open chosen links, take screenshots, etc. The threat can intercept 2FA (Two-Factor Authentication) codes, compromise Gmail and Facebook accounts and harvest device details (device name, MAC address, Android version, serial number and more).