Outdated Android Phones Are Prime Targets for Dangerous RAT
Cybersecurity experts at Check Point have raised alarms about a powerful remote access trojan (RAT) named Rafel, which is increasingly being used by various threat actors. The primary victims are users with outdated Android phones.
According to the researchers, over 87% of the infected devices are running Android versions that no longer receive security updates. Android 11, which stopped receiving support nearly five months ago, accounts for 21.4% of the detected infections.
A significant number of Rafel RAT infections were also found in phones running Android versions 6 through 10, with an additional 18% of cases on Android 5 devices. Released nine years ago, Android 5 has been unsupported for six years.
The risks for these users are substantial, as Rafel is a highly capable malware. It can perform remote access, surveillance, data exfiltration, and has mechanisms to ensure it remains on the infected device. Check Point emphasizes that these features make it a potent tool for covert operations.
“This malware is designed for phishing campaigns, using deceptive tactics to manipulate user trust and exploit interactions,” the report explains. “Once initiated, it seeks necessary permissions and may request to be added to the allowlist, especially if the device’s manufacturer offers app optimization services. This helps ensure its persistence in the system.”
Currently, many phishing operations use this RAT, disguising it as legitimate applications like Instagram, WhatsApp, or various e-commerce platforms. Once installed, the malware may request numerous permissions, such as notifications or administrative rights. Depending on the attacker’s objectives, it can remain stealthy, collecting SMS, call logs, or contacts with minimal user interaction. It operates in the background, communicating with remote command and control servers via HTTP or encrypted HTTPS.
Rafel RAT has all the necessary features for extortion schemes. If it gains DeviceAdmin privileges, it can change the lock screen password and prevent uninstallation. One variant can even encrypt or delete files, functioning as ransomware.
In many cases, the RAT has stolen 2FA messages, potentially bypassing multi-factor authentication. This adds another layer of threat to the already dangerous capabilities of Rafel.
Protecting Your Android Device:
To safeguard against Rafel RAT and similar threats:
- Update Your Android OS: Always use the latest Android version to ensure your device has the latest security patches.
- Download Apps from Trusted Sources: Only download apps from the Google Play Store or other trusted sources.
- Be Wary of Permissions: Scrutinize app permission requests and avoid granting unnecessary access.
- Use Security Software: Install reliable antivirus and security software on your device.
- Regular Backups: Regularly back up your data to prevent loss in case of an attack.
By staying vigilant and following these precautions, you can significantly reduce the risk of your Android device being compromised by malware like Rafel RAT.