close
close

Android Users Warned of Growing Rafel RAT Malware Threat

Posted on by darion

Security researchers are warning against Rafel, an open-source remote administration tool (RAT) that targets Android devices.

An investigation by Check Point Research (CPR) identified multiple threat actors using Rafel RAT, including an espionage group, demonstrating the tool’s versatility in achieving a variety of malicious goals.

An earlier CPR publication already linked Rafel to the APT-C-35/DoNot team, highlighting its capabilities for remote access, surveillance, data exfiltration, and persistence on target devices.

By sampling the malware and analyzing approximately 120 command and control (C2) servers, CPR identified the United States, China and Indonesia as the most affected countries. Most of the infected devices were Samsung phones, followed by Xiaomi, Vivo and Huawei.

Read more about mobile security threats: 32% increase in malware in mobile banking

The study also found that Android 11 was the most hacked version, followed by versions 8 and 5. While newer versions of Android present greater challenges in terms of running malware, older versions remain highly vulnerable.

More than 87% of infected devices were running an unsupported version of Android, leaving them vulnerable to attacks due to a lack of security updates.

“Neglecting software updates, especially in regions where newer devices are less available, increases vulnerability,” warned Krishna Vishnubhotla, vice president of product strategy at Zimperium.

“Effective countermeasures must therefore include robust user education on how to recognize threats and use safe mobile practices, as well as technical safeguards.”

CPR’s in-depth case-specific analysis included an Android ransomware operation, a scenario involving a two-factor authentication (2FA) message leak, and a situation where a government website in Pakistan was compromised to host the Rafel RAT command and control infrastructure.

“The involvement of a Rafel espionage group suggests potential national security implications,” said Callie Guenther, senior manager of cyberthreat research at Critical Start.

“If critical infrastructure or government operations are targeted, the impact could extend beyond financial losses to include compromise of national security and intelligence.”

To mitigate this risk, Android users are advised to download apps only from trusted sources, keep their software updated and use reliable mobile security apps.

“Google has done a pretty good job of ensuring that none of these apps end up in the Play Store, or at least don’t stay there for too long,” explained John Bambenek, president of Bambenek Consulting.

“Users should never install an app based on a text message. “That said, it also highlights the importance of constantly installing updates on your mobile phone to ensure you are running the latest versions.”

Image source: rafapress / Shutterstock.com