The Trojan:AndroidOS/AndroRat malware family demonstrates how open-source administrative tools can be repurposed into significant mobile security threats. Originating as a publicly available proof-of-concept for Android device control, its code has been adapted and expanded by various threat actors and state-sponsored groups. The malware operates by subverting the Android operating system's security model, primarily through the aggressive solicitation of permissions and the abuse of accessibility services to gain extensive control over target devices. Its evolution reflects a shift from simple information theft to functioning as a complex, multi-stage surveillance platform. The framework's core capability involves breaking device sandboxing to provide operators with remote access to sensitive data and hardware functions, including cameras, microphones, and private communications.