Cybersecurity firm Check Point Research has discovered a potent piece of Android malware, called Rafel, being utilized by threat actors. The malware is an open-source remote administration tool (RAT) and Check Point Research says that it has already observed “an espionage group leveraging Rafel in their operations.”
Victims who have been targeted with Rafel span the globe, with the majority located in the United States, China and Indonesia. The set of phones being attacked were equally as diverse, including Samsung, Huawei, Xiaomi and Google. The one thing that most of the victims had in common is that their devices were running versions of Android that no longer receive security updates, which are usually Android 11 or older.
Once installed on a victim’s phone, Rafel can wreak havok. It’s capable of exfiltrating contacts, SMS messages, call logs, device information and the list of installed applications, and it can also bypass PlayProtect. It allows attackers send SMS messages, display messages on the screen and force the device to vibrate for up to 20 seconds as well. If an attacker is feeling especially destructive it’s also possible for them to delete files from a device. Ans all of this can be done from a web-based administration panel.
Ransomware is another use for Rafel, and is the reason it exists in the first place according to Check Point Research. With the administration privileges it gains, the malware can change the lock-screen password set by a victim. To make matters worse, the company says that “if a user attempts to revoke admin privileges from the application, it promptly changes the password and locks the screen, thwarting any attempts to intervene.”
This situation highlights the dangers of running an operating system that has hit End of Life status. Hopefully Google continues to implement safeguards to protect Android users.