Brinztech Alert: New “Tianxian” Android RAT Emerges; Claims Invisible Screen Recording on Android 16

Dark Web News Analysis

A threat actor on a known hacker forum is sharing and selling a new Android Remote Access Trojan (RAT) called “Tianxian” (likely derived from the Chinese “天仙,” meaning Celestial/Fairy). The malware is marketed as a cutting-edge tool capable of compromising devices running the latest Android versions, including Android 16 (currently in development/preview).

Brinztech Analysis:

• The Core Capability: The RAT’s most alarming claim is the ability to bypass screen recording permissions and indicators. This strongly suggests it is weaponizing recent high-severity vulnerabilities such as CVE-2025-32322 (MediaProjection Bypass) or CVE-2025-32320 (System UI Confused Deputy). These flaws allow malicious apps to record a user’s screen without the standard “Casting” icon or consent dialog appearing, making the surveillance invisible.
• The Class: Tianxian belongs to the new generation of Malware-as-a-Service (MaaS) RATs (similar to Albiriox or Craxs). It integrates VNC (Virtual Network Computing) for live remote control and keylogging features that abuse Accessibility Services to steal passwords and 2FA codes in real-time.
• Origin: The name and distribution pattern align with Chinese-speaking threat actor groups, potentially a successor or rebrand of older tools like TianySpy.

Key Cybersecurity Insights

This malware represents a significant leap in mobile surveillance capabilities:

• Invisible Surveillance: By bypassing the visual indicators introduced in Android 14/15, Tianxian neutralizes a key user-defense mechanism. Users can no longer rely on the “green dot” or status bar icons to know if they are being watched.
• Broad Functionality: Beyond screen recording, the RAT includes File Management, GPS Tracking, and Microphone/Camera Access. It effectively turns the device into a pocket spy.
• Targeted Android Devices: The explicit mention of Android 16 compatibility indicates the developers are actively reverse-engineering Android’s newest security architecture to stay ahead of Google’s defenses.
• Banking Fraud Enabler: The combination of live screen viewing and remote touch control allows attackers to perform On-Device Fraud (ODF). They can log into a victim’s banking app from the victim’s own device, bypassing IP/device fingerprinting checks used by banks.

Mitigation Strategies

In response to this threat, individuals and organizations must adopt a “Zero Trust” approach to mobile apps:

• Audit Accessibility Services (Critical): Go to Settings > Accessibility. If you see any app you do not recognize (often disguised as “System Update,” “Google Service,” or a simple utility) with permission enabled, revoke it immediately and uninstall. This is the primary vector for RATs.
• Update Security Patches: Ensure all devices are updated to the September 2025 Security Patch level or later. This patch addresses key MediaProjection vulnerabilities (CVE-2025-32322) that tools like Tianxian exploit.
• Mobile Device Management (MDM): Organizations must enforce policies that block sideloading (installation from unknown sources) and use Mobile Threat Defense (MTD) solutions capable of detecting behavioral anomalies (e.g., an app silently recording the screen) rather than just signature-based detection.
• Employee Education: Warn staff about the dangers of downloading “modded” apps (e.g., WhatsApp Gold, Spotify Premium Free) from Telegram or third-party sites, as these are the most common delivery vehicles for Tianxian.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com