Updated now, warning for Samsung and other Android users in case of RAT attack
Have you recently updated the software on your Samsung, Pixel or Xiaomi phone? Otherwise, you might want to look away now. Check Point’s cyber team has just released a new report warning of the scale of the risk you’re taking and urging you to update it.
The team claims to have tracked the Rafel RAT in the US, UK, China, Indonesia, Russia, India, France and Germany, and detected 120 dangerous campaigns over the past two years – another reminder, they warn, “of how open source malware technology can cause significant damage, especially when it targets large ecosystems like Android, which has more than 3.9 billion users in the world.
And this RAT is particularly nasty – it’s definitely not something you want on your phone, sifting through all your personal data, sending whatever it wants back to its handlers without you realizing it – at least not until it’s too late. “Our findings,” explains Check Point, “highlighted that most of the victims belonged to Google (Pixel, Nexus), Samsung Galaxy A & S Series and Xiaomi Redmi Series.” But many other devices were also affected.
“It’s crucial to keep your devices up to date with the most recent security patches or replace them if they no longer receive them,” says Check Point’s Alexander Chailytko. “Major threat actors and even APT groups are always looking for ways to exploit their operations, especially with readily available tools such as Rafel RAT, which could lead to the exfiltration of critical data, leaks of two-factor authentication codes, surveillance attempts and covert operations. .”
Rafel targets phones via non-Play Store installs. And while Google is adding better defenses around these “out-of-game apps,” the scale of the problem is enormous; it reported that its new real-time, code-level analysis “has already detected more than 5 million new non-game malicious apps, helping protect Android users around the world.”
Some of these threats are clearly more dangerous than others. “Rafel has all the essential features required to run extortion schemes effectively,” says Check Point. “When malware gains device administrator privileges, it can change the lock screen password (and) prevent the malware from being uninstalled. If a user attempts to revoke the app’s administrator privileges, it quickly changes the password and locks the screen, thwarting any attempt at intervention.
Check Point reports that 87% of all infections detected were on phones with older, unsupported Android versions. “But users of current versions of Android should be concerned; This Android threat is capable of infecting a wide range of Android versions, from older unsupported versions to newer ones.
And that means that even if you’re running Android 14, you need to keep your phone up to date as regular security updates are released. This month we saw Google patch a Pixel vulnerability for which a targeted exploit had been found in the wild. When it comes to Android and malware, we take no chances.
The team caught the Rafel RAT carrying out remote monitoring, data exfiltration and ransomware operations, with victims being “tricked” into downloading apps outside of Google’s Play Store ecosystem, apps that impersonate popular social media services, including some of the biggest and most well-known brands. Simply put, downloading apps on a phone running an outdated version of Android is like playing Russian roulette with multiple bullets in the gun: your chances of coming unstuck are dangerously high.
Rafel’s RAT threat menu
The social engineering behind these attacks relies on the tampering we’re seeing more and more these days: the impersonation of popular apps to cause an installation. Apps spoofed by Rafel RAT include WhatsApp and Instagram, which will be installed on most targeted devices. Once installed, the RAT requests various permissions to access sensitive applications and services, including contacts, call logs, and most importantly, text messaging, which allows the RAT to bypass 2FA security measures.
The RAT is programmed to retrieve contact lists, SMS messages, device information, location data, screenshots and send them to its controlling server. But it can also erase phone data, display fraudulent system messages, delete files and directories, recover data and files stored on the device and transmit them to its handlers.
Check Point advises users to “be wary of links and apps sent by unknown senders or apps downloaded by unknown websites.” For anyone worried they may have downloaded something they shouldn’t, the team suggests “users look for unusual behavior on their device, such as unexpected battery drain, increased data usage, or the presence of unknown applications”.
One of Android’s key differentiators from iPhone has always been this flexibility to download apps from third-party stores and the web. And restricting these freedoms will do no good. But it remains the most likely source of malware infections.
Given this, it’s no surprise that Google is making it even harder for a bad actor to trick users into installing dangerous apps. Its Play Protect is improved with Android 15 to live analyze app behaviors to report issues even if it hasn’t seen a particular malware variant before, and it just revealed a new biometric/PIN requirement to install an application in the first place that could be high risk.
None of this helps a user with an older, unsupported phone. And the scale of this problem is staggering. Bitdefender suggests that “nearly a third of smartphones running Android worldwide will run an outdated, unsupported operating system.” Whenever a new vulnerability emerges, the first piece of advice is always the same, regardless of platform: apply the latest security patches as soon as possible. However, for Android devices running end-of-life operating systems, this is not an option.
That’s more than a billion devices, and Bitdefender warns that “attackers know the stats.” So while the golden rules apply to everyone, they apply doubly if you’re playing the dangerous game of storing personal data on an unsupported phone:
- Stick to official app stores: Don’t use third-party stores and never change your device’s security settings to allow an app to load.
- Check the developer in the app description: is this someone you would like to have in your life? And check the reviews, do they look legit or cultured?
- Don’t give permissions to an app that it shouldn’t need: Torches and stargazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that make it easier to control devices unless you need them.
- Never Never Click links in emails or messages that directly download apps or updates. Always use app stores for installations and updates.
- Don’t install apps linked to established apps like WhatsApp unless you know for sure they are legitimate: check reviews and articles online.