Rafel RAT, an open-source Android malware, is making headlines for its attacks on older Android devices, leveraging them for ransomware operations. It has caught the attention of cybersecurity experts due to its widespread use by various cybercriminal groups to target devices no longer supported by regular security updates.
Such outdated devices are prone to attacks because they cannot defend against newly discovered vulnerabilities. With an alarming reach across devices globally, understanding this threat is crucial for all Android users. Find out more about Rafel RAT and how you can keep your device safe below!
The Extent and Impact of Rafel RAT
Check Point researchers Antonis Terefos and Bohdan Melnykov have identified more than 120 campaigns deploying Rafel RAT. They have traced back some of these campaigns to well-known threat actors like APT-C-35 (also known as DoNot Team), with Iran and Pakistan determined as main sources of these attacks.
Rafel RAT has managed to infiltrate high-profile organizations in sectors like the government and military, with victims primarily spanning the United States, China, and Indonesia. Devices compromised by Rafel run on Android 11 or earlier versions – these make up over 87.5% of the affected devices.
The remaining 12.5% are on newer operating systems, namely Android 12 and 13. In terms of device vulnerability, affected models include Samsung Galaxy, Google Pixel, Xiaomi Redmi, Motorola One, and others from OnePlus, Vivo, and Huawei. This essentially means that no brand is safe from Rafel RAT.
Top models targeted by Rafel RAT (Source: Check Point)
Rafel RAT’s Attack Vectors and Commands
The malware spreads by masquerading as legitimate applications from trusted brands like Instagram, WhatsApp, and various e-commerce and antivirus apps. It tricks users into downloading malicious APK files that request excessive permissions, such as disabling battery optimization to run undetected in the background.
Once installed, Rafel RAT can execute several harmful actions:
| Command | Description |
| ransomware | Initiates encryption of files on the device. |
| wipe | Removes all files from the specified directory. |
| LockTheScreen | Locks the device screen, making it unusable. |
| sms_oku | Transmits all SMS messages (and 2FA codes) to the C2 server. |
| location_tracker | Sends real-time location of the device to the C2 server. |
Threat actors use a central panel to see device and status information and decide what to do next. In approximately 10% of the cases observed, Rafel RAT issued a ransomware command, according to Check Point’s analysis.
Rafel RAT’s central panel (Source: Check Point)
Protective Measures Against Rafel RAT
To stay safe against Rafel RAT, Android users should:
- Avoid downloading APKs from unverified sources, especially if you have an outdated Android device.
- Always scan news apps using Google’s Play Protect before using them.
- Do not click on suspicious links in emails or text messages.
- Stay updated on the latest Android versions.
Anas Hasan
June 24, 2024
1 year ago
