Android has many features and access to apps but is prone to security risks due to its open-source nature.
Android malware, viruses, Trojans, ransomware, spyware, and adware programs threaten the data privacy and integrity of users.
These threats exploit different attack vectors, including app downloads, malicious sites, phishing, and system vulnerabilities.
Understanding Android malware becomes imperative as attackers become more sophisticated in their evasion techniques.
Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan
Cybersecurity researchers at CheckPoint identified Rafel RAT, an open-source tool that enables remote administration for malicious activities on Android devices. Consequently, there’s a strong need to improve security measures within the Android ecosystem.
Android Rafel RAT
Check Point Research discovered that around 120 malicious campaigns targeting high-profile organizations globally were using Rafel, an open-source Android RAT used by multiple threat actors.
However, Rafel can be utilized, among other things, for remote access to a compromised system network or device.
Frequently targeted were those with outdated Android versions, such as Samsung, Google, and Xiaomi devices, which became victims.
.webp)
The malware appears just like one of the real apps, requests permissions, and communicates with C&C servers over HTTP(S). Using PHP panel, hackers monitor and control infected devices.
Not only that even they can get sensitive information and execute commands remotely.
.webp)
This highlights significant risks in the Android ecosystem, with observed malicious activities including ransomware operations, 2FA bypasses, and government site hacks.
Rafel uses DeviceAdmin authorizations to lock screens, block uninstallations, and encrypt or delete files.
This might have been a recent Iranian campaign that targeted a Pakistani victim through Rafel malware, used to compromise devices and show extortion pop-ups.
Still, the same hacker infiltrated one of the Pakistani government sites and installed a C&C portal for Rafel.
It’s an open-source program with a large range of features, including options such as bypassing 2FA, which make it highly adaptable to threat actors focusing on different countries.
Consequently, Android security measures must be defensive in nature, such as threat intelligence, endpoint protection, user education, and collaboration among stakeholders within the information security ecosystem.
IOCs
SHA256:-
- d1f2ed3e379cde7375a001f967ce145a5bba23ca668685ac96907ba8a0d29320
- 442fbbb66efd3c21ba1c333ce8be02bb7ad057528c72bf1eb1e07903482211a9
- 344d577a622f6f11c7e1213a3bd667a3aef638440191e8567214d39479e80821
- c94416790693fb364f204f6645eac8a5483011ac73dba0d6285138014fa29a63
- 9b718877da8630ba63083b3374896f67eccdb61f85e7d5671b83156ab182e4de
- 5148ac15283b303357107ab4f4f17caf00d96291154ade7809202f9ab8746d0b
Command And Control Servers:-
- districtjudiciarycharsadda.gov[.]pk
- kafila001.000webhostapp[.]com
- uni2phish[.]ru
- zetalinks[.]tech
- ashrat.000webhostapp[.]com
- bazfinc[.]xyz
- discord-rat23.000webhostapp[.]com
Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free