Rafel RAT, Android Malware from Espionage to Ransomware Operations

Check Point Research (CPR) has identified multiple campaigns that leverage Rafel, an open-source Remote Administration Tool (RAT) targeting Android phones (used by more than 3.9B people worldwide). We discovered the use of this Android malware in espionage (remote surveillance, data exfiltration) and ransomware operations.

The victim is being tricked (through messages/conversations etc) to download apps that impersonate popular services (social media, financial, educational, and others), and by installing the apps, the malware is injected into the mobile phone, enabling different kinds of capabilities from espionage to ransomware. We’ve seen over 120 campaigns in a period of 2 years in multiple countries globally, bypassing several security procedures aimed at keeping these mobile users safe from hackers.

The campaigns compromised Android devices, mainly in the United States, China, Indonesia, Russia, India, France, Germany, United Kingdom.

Here are the main takeaways:

Widespread Impact: Rafel RAT is used in over 120 campaigns, affecting users predominantly in the United States, China, and Indonesia
Device Infections: Most of the compromised devices are Samsung, Xiaomi, Vivo, and Huawei phones, reflecting these brands' market dominance
Android Versions: Most affected devices run outdated Android versions, highlighting the critical need for regular updates and security patches
Diverse Threats: From espionage to ransomware, Rafel RAT’s capabilities include remote access, surveillance, data theft, and even encryption of victims’ files.

Noteworthy Cases: · Government Website Compromise: Rafel RAT was found hosted on a hacked government website in Pakistan, redirecting infected devices to report back to this server.

· Ransomware Operations: Instances of Rafel RAT being used to encrypt device files, demanding ransom for decryption.

· 2FA Bypass: The malware has also been linked to stealing two-factor authentication messages, potentially bypassing this critical security measure.

Safety Recommendations for Android Users:

Download Apps from Trusted Sources: Only install apps from reputable stores like Google Play. Avoid third-party sources.
Keep Software Updated: Regular updates ensure devices receive critical security patches.
Use Mobile Security Solutions: Reliable security apps provide real-time protection against malware and other threats.

Mode of Operation:

Rafel RAT is involved in phishing campaigns, where victims are tricked into installing malicious APKs that disguise themselves with a fake name and icon, request extensive permissions, display legitimate websites, which it tries to mimic, and then secretly track the device and leak data.
Rafel RAT could be disguised as the following types of applications with their respective names:
Apps store (Google Store, BlackMart, BlackMart-MOD)
Social (La Morocha, Instagram, BOOYAH, Black WhatsApp)
Finance (PicPay, RM Trade, Mercado Pago)
Maps & Navigation (PlamThaiDriver)
Lifestyle (EHSAN)
Education (DASNHS)
Tools (MOTU CC CHECKER, Goxome: Modern Menu System)
Hacking Tools (Reverse Engineering Toolkit, Unlimited Bomber)
Other (ScammersExposed, UR RAT, Lite App, BEKU-DANA)

According to Alexander Chailytko, Cyber Security, Research & Innovation Manager at Check Point Software Technologies:

"Rafel RAT is another reminder of how open-source malware technology can cause significant damage, especially when targeting big ecosystems like Android, with over 3.9 billion users worldwide. As most of the affected victims are running unsupported Android versions, it is crucial to keep your devices up-to-date with the most recent security fixes or replace them if they are no longer receiving them, as prominent threat actors and even APT groups are always looking for ways to leverage their operations, especially with the readily available tools such as Rafel RAT, which could lead to critical data exfiltration, using leaked Two-Factor Authentication codes, surveillance attempts and covert operations, that are particularly devastating when used against high-profile targets.”