Multiple bad actors are using the Rafel RAT malware in about 120 campaigns aimed at compromising Android devices and launching a broad array of attacks that range from stealing data and deleting files to espionage and ransomware.

Rafel RAT is an open-source remote administration tool that is spread through phishing campaigns aimed at convincing targets to install the malware, which is disguised as legitimate applications like WhatsApp and Instagram or other software, including e-commerce platforms and antivirus tools.

Once installed on the device, the malware gives threat groups myriad malicious capabilities “such as remote access, surveillance, data exfiltration, and persistence mechanisms, [which] make it a potent tool for conducting cover operations and infiltrating high-value targets,” Check Point threat researchers Antonis Terefos and Bohdan Melnykov wrote in a report.

“The discovery of an espionage group leveraging Rafel in their operations was of particular significance, as it indicates the tool’s efficacy across various threat actor profiles and operational objectives,” Terefos and Melnykov wrote.

Some of the 120 campaigns targeted high-profile organizations, including military groups, with most victims being in the United States, China, and Indonesia. Organizations in other countries, including Russia, France, Germany, Italy, India, Pakistan, and Australia, also were in the crosshairs.

Pixel, Samsung, Xiaomi Users Targeted

Check Point was able to break down the characteristics of most of the Android devices caught up in the dozens of campaigns. Most victims were using Samsung phones, followed by devices from Xiaomi, Vivo, and Huawei among the nine named vendors. Other brands also were targeted. The most popular models targeted were Google’s Pixel and Nexus, Samsung’s A and S series, and Xiaomi Redmi Series.

“Android 11 is the most prevalent, followed by versions 8 and 5,” the wrote. “Despite the variety of Android versions, malware can generally operate across all. However, newer versions of the operating system typically present more challenges for malware to execute its functions or require more actions from the victim to be effective.”

More than 87% of the victims were running versions of Android that were no longer supported, so they weren’t getting security fixes.

Terefos and Melnykov wrote that malware like Rafel RAT illustrate the challenges that come with Android. The flexibility that comes with the operating system’s open source nature fuels a wide range of features and customization options, but its widespread adoption and open environment drives the risk of being targeted by cybercriminals.

Android an Attractive Target

Android, which runs more than 3 billion devices worldwide, holds more than 70% of the global market for mobile OSes. In a report comparing security features in both Android and Apple iOS, NordVPN wrote that while Apple’s closed development of iOS makes it more challenge for bad actors to compromise, Apple devices aren’t immune to threats.

“Meanwhile, Android’s open-source code allows it to receive speedy feedback from industry experts who continuously monitor it for possible vulnerabilities,” the company wrote. “However, Android operates numerous devices that use different versions of its operating system. Because of that, manufacturers and carriers may not always deliver the needed updates for a specific device group in a timely manner.”

The various bad actors using Rafel RAT may modify the malware to suit their needs and to stay undetected, but even so, it immediately starts running in the background once it’s installed, operating covertly and initiating communications with the command-and-control (C2) server to activity location tracking and set up text-to-speech components.

“This involves transmitting information about the device, including its identifiers, characteristics, locale, country, model specifics, and operator details,” they wrote. “Next, a request is sent to the [C2] server for the commands to execute on the device.”

A Laundry List of Threats

Those commands can include sending contacts, text messages, live locations, call logs, and device information – such as the model, amount of memory, language, and the battery – and a list of installed applications to the C2, deleting files, wiping call histories, locking the device’s screen, encrypting data, and changing the wallpaper on the device.

They also enable the attackers to get contact details from the device, such as names and numbers, that can be used to access sensitive personal data stored on the device that then can be leveraged to steal identities, run social engineering attacks, and launch other malicious schemes against people in the contact list.

Terefos and Melnykov also wrote that the communication channel can intercept and scan the content of device notifications and then send them to the attackers, allowing them to see data from other applications, like two-factor authentication (2FA) codes sent via messaging platforms. This is a particular worry because it could lead to multiple account takeovers, they wrote.

The threat actors can run the malware through a PHP panel, using a designated username and password to access the panel so they can monitor and control the compromised devices.

The malware also has what it needs to run ransomware attacks, the researchers wrote.

“When malware obtains DeviceAdmin privileges, it can alter the lock-screen password,” they wrote. “In addition, leverage device admin functionality aids in preventing the malware’s uninstallation. If a user attempts to revoke admin privileges from the application, it promptly changes the password and locks the screen, thwarting any attempts to intervene.”