In a concerning surge of cyberattacks, multiple bad actors are leveraging the open-source Rafel RAT malware in 120 campaigns to compromise Android devices. These campaigns, identified by Check Point researchers Antonis Terefos and Bohdan Melnykov, aim to steal data, delete files, conduct espionage, and launch ransomware attacks.
Rafel RAT, disseminated through phishing campaigns, masquerades as legitimate apps like WhatsApp and Instagram, tricking users into installing it. Once installed, it grants attackers remote access, enabling surveillance, data exfiltration, and persistent control over the infected devices.
A significant espionage group using Rafel RAT underscores its effectiveness across diverse threat actor profiles. High-profile organizations, including military groups in the U.S., China, and Indonesia, are among the targeted victims. Devices from brands like Samsung, Xiaomi, Vivo, and Huawei, particularly those running older Android versions, are most affected.
Android’s open-source nature, while offering customization, also makes it a prime target for cybercriminals. This malware operates stealthily and targets more than 3 billion devices in Android as it works covertly; it opens a connection with the C&C servers for downloading and forwarding of contacts, messages, call logs, details of the device and other such relevant data.
The malware’s ability to intercept notifications, including 2FA codes, poses a severe risk of account takeovers. Its capability to change lock-screen passwords and prevent uninstallation further complicates mitigation efforts, making Rafel RAT a formidable threat in the cyber landscape.
As Android users remain vulnerable, this wave of attacks highlights the urgent need for updated security measures and vigilance against phishing schemes to safeguard personal and organizational data.
