Analysis of cifrat: could this be an evolution of a mobile RAT?

**CERT Polska** analysed a multi-stage Android malware campaign that lures victims with a Booking.com-themed phishing site to sideload a malicious APK; the dropper uses a native JNI decoder and encrypted stages to install a final accessibility-controlled RAT that supports credential capture, HTML overlay/phishing, SMS exfiltration, screen and camera streaming, remote gestures, and SOCKS5 relaying, communicating over split WebSocket control/data channels to otptrade.world; the report includes detailed technical analysis, unpacking helpers, anti-analysis findings, and IOCs (URLs, package names, file hashes).