TL;DR: SURXRAT is an Android MaaS RAT distributed through Telegram that confirms SMS theft, file exfiltration, and cloud-backed control through Firebase, according to Gurucul. The case shows how attacker-operated mobile malware can abuse legitimate cloud services and permission prompts to bypass traditional detection and trust assumptions.
NHIMG editorial — based on content published by Gurucul: SURXRAT: MaaS Android RAT Leveraging Telegram and Firebase Infrastructure
By the numbers:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should security teams detect Android malware that abuses cloud services for exfiltration?
A: Focus on behaviour, not just hashes or domains.
Q: Why do mobile permissions become a governance problem once a malicious app is installed?
A: Because the approval event is only the start of the risk.
Q: What do organisations get wrong about trusted cloud services in malware investigations?
A: They often assume that legitimate infrastructure means legitimate use.
Practitioner guidance
- Correlate Android permissions with cloud egress patterns Flag apps that request SMS and storage together, then watch for background Firebase synchronization, unusual database node names, and repeated read/write bursts tied to the same device.
- Treat mobile permissions as governed identity grants Track which apps receive sensitive permissions, who approved them, and whether access is still justified after installation, especially where the app can access SMS, files, or images.
- Inspect trusted cloud services for attacker misuse Do not rely on domain reputation alone.
What's in the full article
Gurucul's full blog covers the operational detail this post intentionally leaves for the source:
- Reverse-engineering notes for Sms3Activity and the Firebase listener flow behind SMS collection
- Code-level indicators for PhotoRAT and file enumeration paths used for image and document exfiltration
- SOC detection guidance with endpoint, behavioural, and network telemetry examples
- Advertised-versus-validated capability mapping that shows which malware claims were confirmed in code
👉 Read Gurucul's SURXRAT threat research and code validation analysis →
SURXRAT and Firebase abuse: what it means for identity teams?
Explore further
Mobile malware is now an identity abuse problem, not just an endpoint problem. SURXRAT turns granted permissions into a durable attack surface, which means the control failure begins at the point of access approval and continues inside cloud-backed persistence. The relevant governance question is not whether the app asked for permission, but whether the approval model assumed that permission use would remain bounded. Practitioners need to treat mobile app permissions as identity grants with lifecycle consequences.
A few things that frame the scale:
- Only 13% of organisations feel extremely prepared for the reality of agentic AI despite the majority racing toward autonomous adoption, according to The 2026 Infrastructure Identity Survey.
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, according to The 2026 Infrastructure Identity Survey.
A question worth separating out:
Q: How can mobile threat teams reduce the blast radius of Android RAT activity?
A: Limit which apps can combine messaging, storage, and background network access, and continuously review permissions after installation. The key is to make sensitive access time-bound, monitored, and revocable so a single permission grant does not become persistent data theft and remote control.
👉 Read our full editorial: SURXRAT shows how MaaS Android malware abuses cloud identity