An open-source Android malware called ‘Rafel RAT’ is being extensively used by cybercriminals to target outdated devices, with some attacks incorporating a ransomware module that demands payment via Telegram.
According to the report, over 120 campaigns have been detected using the Rafel RAT malware. These campaigns are conducted by known threat actors such as APT-C-35 (DoNot Team), and some malicious activities have been traced back to Iran and Pakistan.
High-profile organizations, including those in government and the military, have been successfully targeted, with most victims located in the United States, China, and Indonesia. Most of the infected devices were running outdated Android versions that no longer receive security updates, making them susceptible to known vulnerabilities. Specifically, Android versions 11 and older accounted for over 87.5% of the total infections, while only 12.5% were running Android 12 or 13.
The malware targets a variety of brands and models, including Samsung Galaxy, Google Pixel, Xiaomi Redmi, Motorola One, and devices from OnePlus, Vivo, and Huawei. This indicates that Rafel RAT is a versatile tool effective against a wide range of Android implementations.
Rafel RAT is disseminated through various means, with threat actors often exploiting popular brands like Instagram, WhatsApp, e-commerce platforms, or antivirus apps to trick users into downloading malicious APKs. During installation, it requests access to several risky permissions, including exemption from battery optimization, allowing it to run in the background.
Key capabilities of Rafel RAT include:
– Ransomware: Initiates file encryption on the device.
– Wipe: Deletes all files under the specified path.
– LockTheScreen: Locks the device screen, making it unusable.
– sms_oku: Leaks all SMS and 2FA codes to the command and control (C2) server.
– location_tracker: Transmits live device location to the C2 server.
Threat actors control these actions from a central panel, accessing device and status information to plan subsequent attacks.
Several ransomware operations involving Rafel RAT have been documented, including one from Iran where the attacker used Rafel RAT’s capabilities for reconnaissance before executing the encryption module.
The attacker erased call history, changed the wallpaper to display a custom message, locked the screen, activated device vibration, and sent an SMS with a ransom note, instructing the victim to contact them on Telegram to resolve the issue.
To protect against Rafel RAT and similar malware, it is crucial to keep your Android device updated with the latest security patches. Avoid downloading apps from unverified sources, especially those that mimic popular brands like Instagram or WhatsApp. Using a reputable mobile security app can also help detect and block malware.
