Android, the widely embraced mobile operating system created by Google, serves as the backbone for billions of smartphones and tablets globally. Known for its versatility and open-source design, Android grants users extensive customization options and access to a vast selection of applications via platforms such as the Google Play Store.

However, this openness also brings substantial security risks, especially from Android malware like viruses, Trojans, ransomware, spyware, and adware. These threats endanger user privacy, device security, and personal data integrity through app downloads, malicious websites, phishing attacks, and system vulnerabilities.

The dynamic evolution of Android malware poses ongoing challenges for users, developers, and cybersecurity experts. As attackers utilize increasingly sophisticated techniques to avoid detection and infiltrate devices, understanding the nature of Android malware, how it spreads, and implementing effective prevention strategies is crucial.

What is Rafel RAT

Rafel RAT, an open-source malware tool designed for Android, enables remote administration by malicious actors, facilitating activities such as data theft, complete device control, and locking the phone for ransom.

Rafel is Remote Access Tool Used to Control Victims Using WebPanel With More Advanced Features - Rafel Admin

Utilized by Threat Actors: Rafel RAT Operations

Check Point researchers have issued a warning about the Rafel RAT, an open-source malware targeting outdated Android devices. In certain instances, hackers attempt to lock devices using ransomware and demand payment through Telegram.

Analysts have observed Rafel RAT being deployed in over 120 malicious campaigns across numerous countries globally, with a significant impact on victims in the USA, China, Indonesia, and affecting Russia as well. Some attacks have been linked to established hacking groups like APT-C-35 (DoNot Team), while others originate from unidentified actors, originating from Iran and Pakistan.

In the majority of the attacks analyzed by Check Point, victims were found to be using outdated versions of Android that had reached end-of-life status, rendering them ineligible for security updates. Specifically, Android 11 and earlier versions comprised over 87.5% of the total infections, while devices running Android 12 or 13 accounted for a mere 12.5% of the affected devices.

Interestingly, Samsung phones constituted the largest group of victims, with Xiaomi, Vivo, and Huawei users comprising the second-largest group. This trend reflects the popularity of these brands in global markets.

While some brands had higher infection rates, a wide variety of models were affected. Check Point categorized these models by their respective series. Analysis also revealed that many victims owned Google devices (Pixel, Nexus), Samsung Galaxy A & S Series, and Xiaomi Redmi Series.

Over 87% of the affected victims are using outdated Android versions that have reached end-of-life status, thereby no longer receiving critical security updates. It's easy for attackers to target these phones due to their lack of ongoing security support.

Working Mechanism

Rafel RAT is commonly spread through deceptive means, often using trusted brands like Instagram, WhatsApp, popular e-commerce platforms, and antivirus apps to trick users into downloading malicious APKs.

Once installed, the malware requests extensive permissions, such as running in the background and bypassing battery optimization settings. These permissions allow Rafel RAT to operate unnoticed, making it harder to detect and remove.

The malware adjusts by requesting different permissions—like Notifications, Device Admin rights, or minimal sensitive permissions such as SMS, Call Logs, and Contacts—to avoid detection. Once activated, it runs silently in the background, displaying a misleading notification. Meanwhile, it sets up an InternalService to communicate with its command-and-control (C&C) server.

Communication happens over HTTP(S) protocols, beginning with the initial client-server interaction phase. Here, the malware sends device information like identifiers, characteristics, location, model details, and operator specifics. It then requests commands from the C&C server to carry out tasks on the device.

The table below outlines the fundamental commands found in the original malware sources, which may vary depending on the specific Rafel RAT version, as identified by researchers.

Among the most critical functionalities are:

• ransomware: Initiates file encryption on the device.
• wipe: Deletes all files within a specified path.
• LockTheScreen: Renders the device screen unusable by locking it.
• sms_oku: Sends all SMS messages, including two-factor authentication codes, to the management server.
• location_tracker: Sends device location data to the management server.

Ransomware Operations with Rafel RAT

According to researchers, ransomware was involved in approximately 10% of attacks, where hackers encrypted files on the device using a predefined AES key and demanded ransom from victims.

Check Point analysts observed multiple Rafel RAT operations, notably an attack originating from Iran. Initially, the attackers conducted reconnaissance using other capabilities of Rafel RAT before activating the encryption module. They erased call history, changed the wallpaper to display their message, locked the screen, activated the device’s vibration, and sent SMS messages demanding ransom. Victims were instructed to contact the hackers via Telegram to resolve the issue.

‍

2FA Exploitation by Rafel RAT

Check Point researchers have uncovered several cases where Rafel RAT has intercepted 2FA messages, enabling potential bypasses of two-factor authentication (2FA). By compromising OTP (one-time passwords), malicious actors can evade additional security measures and gain unauthorized access to sensitive accounts and information.

In a recent incident, Check Point researchers discovered a threat actor successfully hacking into a government website from Pakistan. The actor proceeded to install the Rafel web panel on the compromised server, establishing a command and control (C&C) center where infected devices reported their status and activities.

Conclusion

In conclusion, Rafel RAT demonstrates the evolving threat of Android malware with its open-source flexibility and broad use in malicious activities. Protecting against such threats requires avoiding dubious downloads, refraining from clicking on suspicious links in emails and messages, and verifying applications with Play Protect. A comprehensive cybersecurity strategy—including threat intelligence, strong endpoint protection, user education, and industry collaboration—is crucial to effectively countering these evolving threats.

References

1. https://research.checkpoint.com/2024/rafel-rat-android-malware-from-espionage-to-ransomware-operations

‍