Check Point Research (CPR) has uncovered multiple campaigns that leverage Rafel, an open-source remote administration tool (RAT), targeting Android phones used by 4 billion people globally.

CPR discovered the use of this Android malware in espionage (remote surveillance, data exfiltration) and ransomware operations. The victim is being tricked, through messages/conversations, etc., to download apps that impersonate popular services (social media, financial, educational and others). By installing the apps, the malware is injected into the mobile phone, enabling different kinds of capabilities from espionage to ransomware.

Rafel RAT is used in over 120 campaigns, affecting users predominantly in the United States, China and Indonesia, according to CPR. Most of the compromised devices are Samsung, Xiaomi, Vivo and Huawei phones, reflecting these brands' market dominance. In addition, most affected devices run outdated Android versions, highlighting the critical need for regular updates and security patches.

"Rafel RAT is another reminder of how open-source malware technology can cause significant damage, especially when targeting big ecosystems like Android, with over 3.9 billion users worldwide,” said Alexander Chailytko, cybersecurity, research and innovation manager at Check Point Software Technologies. “As most of the affected victims are running unsupported Android versions, it is crucial to keep your devices up to date with the most recent security fixes or replace them if they are no longer receiving them, as prominent threat actors and even advanced persistent threat (APT) groups are always looking for ways to leverage their operations, especially with the readily available tools such as Rafel RAT, which could lead to critical data exfiltration, using leaked two-factor authentication codes, surveillance attempts and covert operations, that are particularly devastating when used against high-profile targets.”

John Bambenek, president of Bambenek Consulting, said fundamentally, mobile malware comes in the form of malicious applications that users have to be tricked into installing.

“Google has gotten pretty good about making sure none of these apps get on the Play Store, or at least stay there very long,” he said. “Users should never install applications based off a text message. With that being said, this also highlights the importance of persistently applying updates to your mobile phone to make sure that you’re running the latest versions.”