Cybersecurity firm Check Point Research has warned against the open-source Android malware ‘Rafel RAT’, which allows cybercriminals to attack outdated devices.
According to an analysis by Antonis Terefos and Bohdan Melnykov at Check Point, Rafel, an open-source remote administration tool (RAT), was utilized by multiple threat actors, including cyber espionage groups, and identified around 120 different malicious campaigns.
Rafel RAT is an open-source malware tool that operates covertly on Android devices.
It provides malicious actors with a powerful toolkit for remote administration and control, enabling them to carry out a range of malicious activities, from data theft to device manipulation.
The most well-known actors behind these campaigns include APT-C-35 (DoNot Team), while the origins of the malicious activity have been traced back to Iran and Pakistan.
The attacks successfully targeted high-profile organizations, including the government and military sector, with most targeted victims being from the United States, China, Pakistan, Indonesia, and other regions, highlighting the vast geographical reach of the attacks.
During their investigation, Check Point found that most infected devices ran an Android version that had reached the end of life (EoL) and no longer required security updates, making them vulnerable to known vulnerabilities.
The malware primarily attacks devices running Android versions 11 and earlier, accounting for more than 87.5% of the infections. In some cases, only 12.5% of the affected devices run Android 12 or 13.
The affected brands and models include various device types, including Samsung Galaxy, Google Pixel, Xiaomi Redmi, Motorola One, and devices from OnePlus, Vivo, and Huawei. This shows the effectiveness of the Rafel RAT malware against various Android operating systems.
Rafel RAT is spread under the guise of legitimate entities, with threat actors often abusing multiple widely recognized apps, including Instagram, WhatsApp, various e-commerce platforms, antivirus programs, and support apps for numerous services.
This malware was developed to participate in phishing campaigns. Once installed on a victim’s phone, Rafel may request numerous permissions for Notifications or Device Admin rights or stealthily seek minimal sensitive permissions (such as SMS, Call Logs, and Contacts) in its quest to remain undetected.
Regardless, it runs in the background immediately upon activation and communicates with remote command-and-control (C&C) servers over HTTP or encrypted HTTPS.
The Rafel application possesses all the essential features required for executing extortion schemes effectively.
If it obtains DeviceAdmin privileges, the malware can alter the lock-screen password and help in preventing the malware’s uninstallation.
In numerous cases, 2FA messages were stolen, potentially leading to a multi-factor authentication bypass.
“If a user attempts to revoke admin privileges from the application, it promptly changes the password and locks the screen, thwarting any attempts to intervene,” Check Point said in an analysis published last week.
“In addition to its locker functionality, the malware incorporates a variant that encrypts files using AES encryption, employing a predefined key. Alternatively, it may delete files from the device’s storage.”
Check Point Research identified a ransomware operation performed using Rafel RAT, possibly carried out by a threat actor originating from Iran, who sent a “ransom note” in the form of an SMS message written in Arabic that insisted a victim in Pakistan to contact them on Telegram to continue the dialogue.
“Rafel RAT is a potent example of the evolving landscape of Android malware, characterized by its open-source nature, extensive feature set, and widespread utilization across various illicit activities,” Check Point pointed out.
“The prevalence of Rafel RAT highlights the need for continual vigilance and proactive security measures to safeguard Android devices against malicious exploitation.”
To protect against these attacks, users should keep their devices up-to-date, avoid APK downloads from unknown senders or applications downloaded by unknown websites, avoid clicking on URLs embedded in emails or SMS, and scan apps with Google Play Protect before launching them.
