At CYFIRMA, we are dedicated to providing timely and relevant insights into emerging threats and tactics used by malicious actors to compromise both organizations and individuals. This report examines G700 RAT, an advanced variant of the Craxs RAT, which primarily target Android devices and cryptocurrency applications. G700 RAT uses sophisticated techniques such as privilege escalation, phishing, and malicious APK distribution to infiltrate devices, posing significant security risks. By bypassing authentication, capturing sensitive data, and manipulating legitimate app functions, it allows attackers to perform illicit actions undetected. The malware’s persistence and evasive tactics highlight an urgent need for enhanced protection and awareness to safeguard against this evolving threat.
The G700 RAT is an evolved form of Craxs RAT, designed with advanced functionalities to exploit Android devices, especially within the cryptocurrency and financial environments. Developed in C# and Java, this malware targets mobile app security gaps to achieve unauthorized access and execute harmful actions while remaining undetected. It uses privilege escalation, screen capture, and phishing, to intercept sensitive information, bypass security authentications, and deploy ransomware. Currently distributed through underground networks, it poses a growing threat to device security, demanding awareness and comprehensive protection strategies.
The G700 RAT is coded in C# and packed using DNGuard, while its APK version is written in Java. Based on the provided screenshot, it is evident that the G700 RAT is a variant of Craxs RAT. This indicates a close relationship between the malware families, with G700 RAT part of a lineage of similarly designed malicious tools.
The snippet below highlights the full range of features that G700 RAT can perform.
The developer claims that G700-RAT can bypass critical security measures, such as passcodes and fingerprint authentication, of the Trust Wallet crypto application, posing significant risks to users.
The developer’s code snippet below is designed to remotely manipulate or exploit the security of the Trust Wallet app. When a label is clicked in a Windows Forms application, this method sends a message to a connected client (classClient) to interact with the Trust Wallet app, potentially bypassing its security protections.
In the latest version of G-700 RAT, the developer has added a Hide SMS functionality. This feature allows the payload to integrate with the default SMS app on the victim’s phone, preventing SMS notifications from appearing. This enables the hacker to silently capture SMS one-time passwords (OTP) without notifying the victim, posing a severe risk to Android users’ security.
Additionally, in a demonstration video, every new SMS is shown to be redirected to the hacker’s Telegram bot, allowing the hacker to monitor and exploit sensitive information in real time without the victim’s knowledge.
Based on the screenshot; after sending a command, the victim’s phone is completely covered by an image resembling a software update notification, designed to trick the victim into believing their phone is undergoing a legitimate update. This manipulation blocks the touch screen, rendering the phone untouchable and unusable by the victim. During this period, the hacker can perform illegal activities in the background without the victim’s awareness or interference. This tactic is highly dangerous, as it distracts the victim while the hacker executes malicious actions remotely.
The developer claims that G700 RAT can create a fake Google Play Store page. When the hacker pastes the URL “hxxps[:]//is[.]gd/tHUtjx” into the victim’s phone browser, they are redirected to a counterfeit Google Play store page created by the hacker. On this fraudulent page, the hacker can deceive the victim into installing a clone APK application on their phone. This malicious APK appears legitimate but covertly grants the hacker complete control over the victim’s device, enabling them to perform illicit activities without the victim’s awareness
In the latest version of the G700 RAT malware, the hacker has introduced an updated variant of the Ransomware Locker that now includes customizable features.
The phishing pages stored in the res//inject folder are designed to be injected into banking, cryptocurrency, credit card, email, and shopping applications. These phishing pages mimic legitimate sites and are used by banking botnets to manipulate victims into entering their sensitive information, such as login credentials or financial details.
This method, often seen in sophisticated banking malware, replaces the actual web pages of banks, crypto platforms, and other services with near-perfect replicas. When victims attempt to log in or complete transactions, their credentials are captured by the hackers instead of being sent to the real service
Key points of this tactic:
Banking botnet usage: this feature is commonly found in banking botnets, designed to intercept and steal data from users in real-time, often bypassing traditional security measures
The listed Android permissions provide extensive access to SMS, contacts, location, camera, audio, and storage, commonly seen in malicious apps like banking malware or spyware. These permissions allow the app to send/read SMS, access contacts and call logs, track location, take photos, record audio, and manipulate files. They can also enable the app to make unauthorized calls, disable device security, and start on boot. Such access could be exploited to steal sensitive information or control the device.
The Binanceinj() function is used to display a fake Binance transaction page to the user, while secretly replacing the original wallet address with the hacker’s wallet address in the background. where the victim believes they are conducting a legitimate transaction, but the funds are redirected to the attacker’s wallet. The manipulated transaction is made to look genuine, deceiving the victim into transferring cryptocurrency to the hacker without realizing it.
The Base64-encoded string, when decoded, reveals an HTML script for a fake Binance transaction page. hackers use this to obfuscate phishing content and evade detection by security tools. Once decoded, the script is injected into a legitimate page, tricking users into entering sensitive information or enabling crypto address hijacking
This code is part of an Android service that sets up a foreground notification and initializes components for screen streaming to a Windows application. It creates a notification for the service, ensuring it’s always visible to the user, and initializes a MediaProjectionManager to capture the screen. Additionally, it sets up a HandlerThread to manage background tasks related to the screen streaming process. The use of foreground service is essential for keeping the streaming active and notifying users about the ongoing operation.
The code snippet is part of a dropper APK that requests WRITE_EXTERNAL_STORAGE and READ_EXTERNAL_STORAGE permissions to facilitate the installation of a hidden APK. Upon clicking the button (upbtn), it invokes permission checks to determine if the necessary permissions are granted.
The checkPermissions method evaluates the availability of the required permissions, while requestPermissions prompts the user for these permissions. In the onRequestPermissionsResult method, if permissions are granted, it invokes SessionManager.install() to initiate the installation process.
This implementation illustrates a mechanism for acquiring storage permissions to enable APK installation, raising significant security concerns regarding the potential deployment of malicious software on the device.
The provided code functions as a dropper, designed to install “childapp.apk” from the assets folder, often linked to malware deployment. It uses a worker thread to manage background tasks without disrupting the main UI and registers a broadcast receiver to track installation events. By utilizing Android’s PackageInstaller, the code creates an installation session, opens the APK, writes its data, and commits the installation through a PendingIntent.
A significant concern is that this process can bypass accessibility restrictions, which are typically disabled for unknown APKs. Once the payload is dropped and installed, it can enable accessibility features, posing serious risks to Android users. This increases the potential for unauthorized device access and control. Overall, this method threatens user security, highlighting the need for enhanced monitoring and user awareness regarding unknown applications
The software is a malicious tool designed to inject harmful Smali code into legitimate applications, such as gaming, modded, and financial apps. By creating seemingly authentic versions of these applications, hackers can deceive users into installing them, thereby gaining unauthorized access to their devices. Once executed, the malicious code often prompts users to grant accessibility services, which can lead to severe privacy violations and identity theft. The automation of this injection process enables even those with limited technical knowledge to deploy such attacks, significantly increasing the threat to user security.
This screenshot, taken from the G700 unpacked code, shows strings encoded in base64. After decoding one of the strings, we found ‘APKEditor’, which revealed the file path [res\libs\APKEditor.jar], indicating the presence of the APKEditor.jar file.
After conducting further research on this file, we discovered the same file on GitHub. This file is designed for strong encryption of APK files, and the developer is utilizing this encryptor to encrypt the G-700 RAT payload. This approach aims to prevent reverse engineering of the APK and to enhance evasion tactics against antivirus detection.
A cracked version of G700 RAT v5 is freely available in a Telegram group called “The Hacker Error,” which is associated with blackhat hackers and has over 7,000 subscribers. The group, created on June 10, 2022, is known for distributing and selling malware. It is linked to another group, “Blackhat Hacker Tools,” which has around 5,000 subscribers however both groups are now inaccessible. The owner of “The Hacker Error” goes by a username that CYFIRMA research has attributed to a well-known Hindi slogan, which suggests an Indian origin. Additionally, discussions in another malware-related group confirm that user is indeed Indian.
Upon clicking the support section of the G700 RAT, we discovered a Telegram user who appears to be the developer behind this malware.
The Telegram channel was created on May 26th, 2023, and currently has 3,469 subscribers and also operates another Telegram group specifically for G700 RAT, which was created on April 7th 2024,” and has 1,156 subscribers. The admin is involved in selling various malware, including Craxs RAT, Spylogger, G700 RAT, and Eagle Crypter. Recently, they announced the sale of the latest version, G700 RAT v6.4, with a lifetime license for $2,000 in another connected group. Updates about the RAT were also posted on an assosicated website,’ but the site is currently inaccessible, with the homepage temporarily closed.
In one of the demonstration videos posted by the hacker, certain details suggest that the hacker might either be Indian, using a device from India, or utilizing an Indian VPN. These indicators raise questions about the hacker’s true location and identity, potentially pointing to a connection with India or an attempt to obscure their actual location.
The developer is working on bug improvements, building new features for G700 RAT as he also posted recently with new features
The developer’s Twitter account, created in August 2024, shows no activity, with 0 posts, 0 followers, and no accounts being followed.
The developer also has a Giter account, where the code for most of their projects is kept private. However, they have made an Android builder and Craxs RAT available in a public repository.
Developers Tiktok account where he has described himself as a Malware Builder.
In Dark Web forums, some users are selling the G700 RAT, while others are making it freely available. This mixed distribution highlights the significant demand for G700 RAT, as both commercial and free versions are circulating among cybercriminals.
G700 RAT represents a significant advancement in remote access tools, exploiting both technical vulnerabilities and social engineering tactics to compromise Android devices. Its ability to bypass security measures and intercept sensitive data such as SMS OTPs positions it as a serious threat, especially to cryptocurrency users. Distributed widely through Blackhat forums and Telegram channels, G700 RAT’s availability and continued updates indicate increasing demand among cybercriminals. To counteract these threats, individuals and organizations need to adopt robust security controls, utilize threat intelligence for early detection, and enhance user awareness about phishing and suspicious app downloads.
Sr. No. | Indicator | Type | Remarks |
1 | 65ad213f9c6403308cbc805ebe122e08c52c8d21d1b4f8efd0f406e2d448bdef | SHA256 | G700 |
2 | dcdf640e0eef93ff9708e73c461d98f30433770edd2a92f603c8e66f23cf77c1 | SHA256 | APK file |
3 | 313804ea8fda918ff8a909f2367e903b030c3aa305e320d20a865fd6b19d062b | SHA256 | Dropper |
Sr. No. | Tactic | Technique |
1 | Initial Access | T1566: Phishing |
2 | Persistence | T1108: Foreground Application |
T1513: Screen Capture | ||
T1496: Resource Hijacking | ||
TA0011: Command and Control | ||
T1548: Abuse Elevation Control Mechanism | ||
T1406: Malicious Application | ||
T1548.002: Request for Elevated Permissions | ||
T1204: User Execution | ||
T1171: Exploitation of Trusted Relationships | ||
T1408: Install Malware | ||
T1548.003: Bypass User Account Control | ||
3 | Privilege Escalation | T1430: Location Tracking |
T1513: Screen Capture | ||
T1068: Exploitation for Privilege Escalation | ||
T1071: Application Layer Protocol | ||
T1056: Access to Sensitive Information | ||
TA0010: Data Exfiltration | ||
T1219: Remote Access Tools | ||
T1548: Abuse Elevation Control Mechanism | ||
4 | Credential Access | T1417: Input Capture |
T1056.001: Input Capture – SMS | ||
TA0010: Data Exfiltration | ||
T1566: Phishing | ||
T1003: Credential Dumping | ||
T1071.001: Web Service Exploitation | ||
T1204: User Execution | ||
T1027: Obfuscated Files or Information | ||
T1056.001: Input Capture – Web Form | ||
T1171: Exploitation of Trusted Relationships | ||
5 | Discovery | T1418: Software Discovery |
T1421: System Network Connections Discovery | ||
T1422: System Network Configuration Discovery | ||
6 | Collection | T1426: System Information Discovery |
T1430: Location Tracking | ||
T1417: Input Capture | ||
T1429: Audio Capture | ||
7 | Command and Control | T1071: Application Layer Protocol |
T1095: Non-Application Layer Protocol | ||
T1573: Encrypted Channel |
Strategic Recommendations:
Tactical Recommendations:
Operational Recommendations: