Warning: Outdated Android Phones at Risk of Powerful Remote Access Trojan (RAT) Rafel, Check Point Researchers Find

Cybersecurity experts at Check Point have issued a warning about the increasing use of a powerful remote access trojan (RAT) called Rafel by multiple threat actors. This malware primarily targets outdated Android phones, with more than 87% of victims using versions that no longer receive security updates.

The most prevalent infected OS version is Android 11, despite support for this version ending almost five months ago. Additionally, almost half of the Rafel RAT instances were found in Android 6-10 phones, with Android 5 also accounting for a significant portion. Android 5 was released nine years ago, and its support ended six years ago.

Rafel RAT is highly capable, with functionalities such as remote access, surveillance, data exfiltration, and persistence mechanisms. It is often used in phishing campaigns, leveraging deceptive tactics to manipulate user trust and exploit interactions. Once installed, the malware may request various permissions and remain stealthy, communicating with remote servers over HTTP or encrypted HTTPS.

Check Point researchers identified APT-C-35, also known as DoNot Team or Brainworm, as one of the most active users of Rafel RAT. This threat actor’s primary motivation appears to be espionage for the interests of the Indian government, with campaigns targeting countries like the United States, China, and Indonesia.

Victims of this malware are predominantly using Samsung phones, followed by Xiaomi, Vivo, and Huawei devices. Check Point emphasizes the importance of updating to newer Android versions to mitigate the risks posed by Rafel RAT.