Dangerous RAT mostly lurks in outdated Android phones

Multiple threat actors increasingly utilize a powerful remote access trojan (RAT) dubbed Rafel, researchers at cybersecurity firm Check Point warn. Mostly, outdated Android phones get infected.

More than 87% of the affected victims are running Android versions that have reached end-of-life and no longer receive security updates. Android 11 is the most prevalent OS version, with 21,4% of detected infections. Support for Android 11 ended almost five months ago.

Almost half of Rafel RAT instances were found in Android 6-10 phones, with Android 5 accounting for an additional 18%. The Android 5 version was released nine years ago, and its support ended six years ago.

These users risk a lot as malware is highly capable. Rafel is capable of remote access, surveillance, and data exfiltration; it has persistence mechanisms. Check Point believes that makes it a potent tool for conducting covert operations.

“This malware was developed to participate in phishing campaigns. It leverages deceptive tactics to manipulate user trust and exploit their interactions. Upon initiation, the malware seeks the necessary permissions and may also request to be added to the allowlist. Especially when the device’s manufacturer offers extra services for app optimization, this helps to ensure its persistence in the system,” the report warns.

Currently, numerous phishing operations utilize this variant of RAT under the guise of legitimate entities. The app may appear as a widely recognized application, such as Instagram or WhatsApp, numerous e-commerce platforms, etc.

Once installed, malware may request numerous permissions, such as notifications or administrative rights. But, depending on the attacker’s needs, it can remain stealthy and seek minimal user interaction, only collecting SMS, call logs, or contacts. It runs in the background and communicates with remote command and control servers over HTTP or encrypted HTTPS.

Rafel RAT possesses all the essential features required for successful extortion schemes. If it obtains DaviceAdmin privileges, it can alter the lock-screen password and prevent uninstallation. One variant can encrypt or delete files and act as ransomware, as Check Point identified.

In numerous cases, the RAT stole 2FA messages, potentially leading to a multi-factor authentication bypass.


“Check Point Research collected multiple malware samples from this Android RAT and around 120 command and control servers. Further on, we conducted victims’ analysis and found that the most targeted countries were the United States of America, China, and Indonesia,” the report reads.

Most victims have Samsung phones, with Xiaomi, Vivo, and Huawei following.

“Despite the variety of Android versions, malware can generally operate across all. However, newer versions of the operating system typically present more challenges for malware to execute its functions or require more actions from the victim to be effective,” Check Point warns.

Researchers identified the threat actor APT-C-35, also known as DoNot Team or Brainworm, as one of the most active Rafel RAT users. According to SOCRadar, this cybergang's primary motivation appears to be espionage for the interests of the Indian government, and cybersecurity researchers observed that they carried out various campaigns with this aim.