Skip to content

120 Rafel RAT campaigns target Android devices in 14 countries

  • by
  • 4 min read

Over 120 Rafel RAT campaigns affecting various devices, including Samsung, Xiaomi, Vivo, Huawei, Pixel, Motorola, Realme, LG, and Oppo, have been discovered. The campaigns targeted victims primarily in the United States, China, Indonesia, India, Pakistan, Australia, New Zealand, the Russian Federation, Germany, the Czech Republic, France, Italy, Romania, and Bangladesh.

Rafel RAT is particularly insidious due to its sophisticated capabilities and deceptive tactics. It can impersonate legitimate applications, such as Instagram and WhatsApp, to trick users into granting it the necessary permissions. Once activated, Rafel RAT operates covertly in the background, communicating with its command-and-control (C&C) server over HTTP(S) protocols.

The malware can execute many commands, including leaking phone book contacts, SMS messages, and call logs, sending SMS messages, tracking the device’s location, changing device settings, and even initiating ransomware attacks.

“Check Point Research has identified multiple threat actors utilising Rafel, an open-source remote administration tool (RAT). The discovery of an espionage group leveraging Rafel in their operations was of particular significance, as it indicates the tool’s efficacy across various threat actor profiles and operational objectives,” noted researchers.

Rafel RAT supports a variety of commands, enabling attackers to perform numerous malicious actions, including leaking the phone book, SMS, and text messages to the C&C server. Moreover, the malware device information includes country, operator, model, language, battery, root status, and RAM. It can also leak live location and call log information.

The most affected countries include the United States, China, and Indonesia. | Source: Check Point Research

Finally, the malware initiates file encryption, changes the wallpaper, wipes the call history, sends the directory tree of a specified path to the C&C server, sends a list of all installed applications, and uploads a specific file.

Rafel RAT’s command-and-control infrastructure is managed through a PHP-based panel that relies on JSON files for storage. This panel allows threat actors to monitor and control infected devices, providing access to detailed information about the drive and enabling the execution of various commands remotely.

The C&C panel reveals crucial details about the infected devices, such as phone model, Android version, geographical location, and network operator, facilitating targeted attacks and tailored malicious activities.

Researchers further analyzed specific campaigns involving Rafel RAT, including ransomware operations, two-factor authentication (2FA) bypasses, and attacks on government infrastructure. For instance, in a ransomware operation, attackers used Rafel RAT to lock victims’ screens and encrypt files, demanding ransom payments through SMS messages.

Affected devices include Samsung, Xiaomi, Google, LG, Vivo, Huawei, and Motorola. | Souce: Check Point Research

In another case, threat actors exploited Rafel RAT to steal 2FA messages, potentially enabling unauthorised access to sensitive accounts. Additionally, a notable campaign involved the hacking of a Pakistani government website, where Rafel RAT’s C&C panel was hosted, affecting victims from various countries, including the United States, Russia, China, and Romania.

In its fundamental iteration, the Rafel application possesses all the essential features required for executing extortion schemes effectively. When malware obtains DeviceAdmin privileges, it can alter the lock-screen password. In addition, leveraging device admin functionality prevents the malware’s uninstallation. If a user attempts to revoke admin privileges from the application, it promptly changes the password and locks the screen, thwarting any attempts to intervene.

In addition to its locker functionality, the malware incorporates a variant that encrypts files using AES encryption, employing a predefined key. Alternatively, it may delete files from the device’s storage.

When used as ransomware, Rafel RAT allows threat actors to get device information, application lists, call logs, contact details, and SMS messages. At this point, the operator can check the information to determine and then can wipe the victim’s call history, lock screen, send a message containing the ransom note, and other commands.

Hacked Pakistani government website. | Source: Check Point Research

The hacker @LoaderCrazy published this on the Telegram channel. The Rafel web panel was installed on May 18, 2024, through traces of the hacking data back to April 2023.

Cybersecurity researchers have urged users to implement robust endpoint protection mechanisms, educate themselves, and collaborate with other stakeholders to counter Rafel RAT.

In the News: Accenture’s alleged data breach puts employee data at risk

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: