The open-source Rafel RAT is being leveraged by multiple threat actors to compromise Android devices and, in some cases, to lock them, encrypt their contents, and demand money to restore the device to its original state.
Check Point researchers have observed around 120 different malicious campaigns leveraging the malware, hitting devices around the world, but primarely in the US, China, India and Indonesia.
“The majority of victims had Samsung phones, with Xiaomi, Vivo, and Huawei users comprising the second-largest group among the targeted victims,” they shared.
Top device models targeted with Rafel RAT (Source: Check Point Research)
Rafel RAT bores into Android devices
After a successful installation, Rafel RAT operates stealthily and allows threat actors to:
- Bypass Google Play Protect
- Exfiltrate device information (identifiers, locale, country, operator details, model specifics, root status), location information, and the list of installed applications
- Exfiltrate the victim’s phone book, SMSes, call logs, files
- Delete files and call history, encrypt files, change the device wallpaper, lock the device screen, show or play a specified message to the victim (in different languages)
The malware is operated via a PHP panel, through which the attackers can see information about the compromised devices and send commands to them.
“In addition to the primary communication channel, the malware was initially able to send quick messages through the Discord API,” the researchers noted. “During the onboarding process, it notifies the attacker of a new victim’s appearance. This enables attackers to respond swiftly and extract the necessary data from the compromised device.”
The malware sent the content of device communications in the same way. “This enables the attackers to siphon sensitive data from other applications, such as capturing 2FA codes sent through messaging platforms.”
Outdated devices under attack
As noted before, Check Point researchers have unearthed around 120 campaigns leveraging the Rafel RAT, usually by tricking users into installing what seems to be a legitimate app: Instagram, WhatsApp, popular e-commerce platforms, antivirus apps, and so on.
Users are asked to allow the app to have Notifications or Device Admin rights and permissions that allow it to grab sensitive info.
“It’s intriguing to note the distribution of Android versions among the most affected victims. Android 11 is the most prevalent, followed by versions 8 and 5,” the researchers noted.
“More than 87% of the affected victims are running Android versions that are no longer supported and, consequently, not receiving security fixes.”
Some of the threat actors use the malware to extract sensitive information they can use to mount phishing attacks or to hijack accounts protected with multi-factor authentication.
But the researchers have also identified a ransomware operation using the Rafel RAT: the threat actors first extract information and then determines whether they will encrypt/lock the device and ask for a ransom.
The “ransomware” function is also a measure of last resort: “If a user attempts to revoke admin privileges from the application, it promptly changes the password and locks the screen, thwarting any attempts to intervene.”