Researchers at F6 have documented a substantial evolution of the Android trojan DeliveryRAT, which disguises itself as delivery services, marketplaces, banking apps, parcel trackers, and even government services. The variant observed in the second half of 2025 extends far beyond data theft: it can execute DDoS attacks, deploy server-driven phishing screens on the victim device, and conduct mass SMS campaigns across the contact list. This significantly broadens the threat from classic credential theft to monetization via a rentable mobile botnet.
What’s new in DeliveryRAT’s 2025 build
DDoS module turns infected phones into a mobile botnet
The malware receives a target URL and load parameters from its command-and-control (C2) server, then launches a flood of requests from the infected device. After completion, it reports back counts of successful and failed requests. This capability effectively transforms DeliveryRAT into part of a distributed botnet, enabling abuse scenarios ranging from extortion via service disruption to competitive sabotage. Historically, Android-based DDoS has been rare but impactful—recall the 2017 WireX mobile botnet, which leveraged malicious apps to generate significant HTTP floods.
Server-driven phishing screens and data capture
Operators can remotely render one of five activity types over the device screen: Card (bank card form), Custom (arbitrary fields), Photo (image capture/upload), QR (display a QR code), and Text (message). These overlays mimic trusted app UI, making them appear legitimate. The QR activity includes configurable prompts (for example, “Enter tracking number”) and a confirmation button that triggers a faux loading animation—tactics that increase credibility in social engineering workflows.
Mass SMS propagation via contact lists
DeliveryRAT uploads the address book to the C2 and, on command, sends messages to unique contacts for rapid propagation. This approach echoes prior Android campaigns such as FluBot and TeaBot, where smishing chains and lookalike interfaces drove high infection conversion by exploiting trust in known senders.
Capabilities retained from prior versions
The trojan still intercepts SMS and push notifications and can hide them from the user, initiates arbitrary USSD requests, sends SMS on behalf of the user, and can hide or show its app icon. Together, these features maintain covert control channels and obscure security alerts, increasing dwell time and fraud success rates.
Distribution tactics and impersonated brands
Observed samples impersonate well-known brands including Delivery Club, Ozon, Sberbank Online, postal trackers, gig and rideshare platforms, classifieds, ticketing services, clones of government applications, and a modified “Oniongram” messenger. In multiple cases a loader (com.harry.loader) displayed a fake “update” prompt and installed DeliveryRAT from embedded resources—typical sideloading tradecraft used to bypass user scrutiny and basic mobile defenses.
Command-and-control, exfiltration, and persistence
Real-time management leverages a WebSocket C2 channel, streamlining bidirectional coordination and on-demand tasking. Data exfiltration occurs over HTTP. Persistence is achieved via a boot event receiver (BootReceiver) and periodic jobs that sustain connectivity. These TTPs align with modern Android banking malware families that use overlays, though the combination with an integrated DDoS module remains comparatively uncommon, complicating detection and response.
Threat context: from overlays to rentable mobile botnets
Mobile cybercrime continues to shift from isolated overlay fraud to blended monetization, mixing financial credential theft with botnet-for-hire operations. Prior takedowns of FluBot highlighted how SMS-based worm-like behaviors and convincing UI spoofs can scale quickly. The move to WebSocket C2 further reduces the need for app updates to change lures or forms, hindering static signatures and some behavioral models while extending campaign longevity and agility.
Detection and mitigation recommendations
Reduce risk by limiting sideloading and verifying publisher identity and install counts; scrutinize permissions such as SMS, Draw over other apps, and Accessibility. Prefer hardware security keys or app-based OTP over SMS codes where possible. Enable Google Play Protect or mobile EDR, enforce MDM policies on BYOD/COPE devices, and block untrusted APK sources. At the network layer, monitor and restrict unknown WebSocket destinations, implement DNS filtering, and alert on unusual outbound request bursts that may indicate DDoS activity. Provide user training on overlay phishing and fake update prompts.
DeliveryRAT’s upgrade underscores a broader trend: Android trojans are fast becoming multi-function crimeware—combining data theft, social engineering, and DDoS from the same foothold. Organizations should tighten mobile app governance, expand visibility into mobile egress traffic, and update incident response plans to account for mobile botnet behavior. Consumers can lower risk by installing apps only from trusted stores, rejecting unexpected permission prompts, and promptly uninstalling suspicious apps. Raising baseline mobile security hygiene today reduces the odds of becoming a node in someone else’s botnet—or a victim of the next phishing lure.
