In its latest research report, Check Point Research (CPR) reveals that multiple threat actors are using Rafel, a powerful open-source remote access trojan (RAT), targeting Android devices for espionage and covert intelligence operations. What’s worse: There are over 3.9 billion Android devices exposed to this threat.
One of the adversaries exploiting this RAT is APT-C-35 / DoNot Team, which used Rafel RAT for covert operations, benefiting from its remote access, surveillance, data exfiltration, and persistence mechanisms.
The DoNot Team is known for targeting Android devices. In November 2020, the group targeted Google Firebase cloud messaging to spread Android malware. In October 2021, Amnesty International blamed the DoNot Team for a malware attack against Togolese activists, attributing the attack to the Indian cybersecurity firm Innefu Labs after identifying one of the IP addresses used in the attack.
As for the latest attack, CPR collected multiple malware samples and identified 120 command and control servers. Surprisingly, Samsung phones were the most impacted devices and the US, China, and Indonesia were the most targeted countries.
“The majority of victims had Samsung phones, with Xiaomi, Vivo, and Huawei users comprising the second-largest group among the targeted victims,” CPR’s report read.
This could be due to the sheer popularity of these brands, making them a wider target base for attackers.
Over 87% of affected victims were running outdated Android versions that no longer receive security updates. These outdated systems lack critical security patches, making them easier targets for malware exploitation. Most impacted are Android 11 users, followed by Android versions 8 and 5 users.
While Windows bots consistently cause high Windows XP infections, despite reaching its End of Life in 2014, Android devices also suffer from this issue. CPR has examined three specific cases: ransomware operations, leaked Two-Factor Authentication messages, and Rafel command and control on a hacked Pakistani government website, revealing the prevalence of these threats.
Rafel RAT, an open-source Android malware, is a significant threat due to its widespread use in illicit activities. It can be used by attackers to steal sensitive data, turn infected devices into spy tools, and lock users out or hold their data hostage. This can compromise privacy by stealing phone contacts, SMS messages, and call logs, and turning the device into a surveillance device.
CPR’s research shows the need for continuous vigilance and proactive security measures to protect Android devices from malicious exploitation and the importance of a multi-layered approach to mobile security.
To stay safe on Android, always install apps from trusted sources like Google Play Store, avoid third-party apps, and check app permissions and reviews.
RELATED TOPICS
- Android Malware Poses as WhatsApp, Instagram to Steal Data
- Fake govt COVID-19 tracking app spreads Android ransomware
- Antidot Android Malware Poses as Google Update to Steal Funds
- LG Smart TV Screen Bricked After Android Ransomware Infection
- Microsoft warns of new Android ransomware blackmailing victims