Update now warning for Samsung and other Android users if RAT strikes
Have you recently updated the software on your Samsung, Pixel or Xiaomi phone? If not, you might want to look away now. Check Point’s cyber team has just released a new report warning of the high risk you face and urging updates.
The team says it has tracked the Rafel RAT in the United States, Britain, China, Indonesia, Russia, India, France and Germany and has discovered 120 dangerous campaigns over the past two years – another reminder, they warn, “ of how open-source malware technology can cause significant damage, especially when it targets large ecosystems like Android, with more than 3.9 billion users worldwide.”
And this RAT is particularly nasty – definitely not something you want on your phone, going through all your personal data and sending whatever you want back to the administrators without you even realizing it – at least not until it’s too late. “Our findings,” says Check Point, “highlighted that most of the victims were Google (Pixel, Nexus), Samsung Galaxy A & S Series and Xiaomi Redmi Series.” But many other devices were also affected.
“It’s critical to keep your devices up to date with the latest security solutions, or to replace them if they no longer receive them,” says Check Point’s Alexander Chailytko. “Prominent threat actors and even APT groups are always looking for ways to leverage their operations, especially with the readily available tools like Rafel RAT, which could lead to critical data exfiltration, leaked two-factor authentication codes, surveillance attempts and covert operations.”
Rafel targets phones via non-Play Store installations. And while Google is adding better defenses around these ‘off-Play apps’, the scale of the problem is enormous; it has reported that its new real-time code-level scanning “has already detected more than 5 million new, malicious off-Play apps, helping protect Android users worldwide.”
Some of these threats are clearly more dangerous than others. “Rafel has all the essential features needed to effectively execute extortion schemes,” Check Point said. “When malware gains device administrator rights, it can change the lock screen password [and] prevent the malware from being removed. If a user attempts to revoke administrative rights to the application, it immediately changes the password and locks the screen, thwarting any attempted intervention.”
Check Point reports that 87% of all infections detected occurred on phones running older, unsupported Android versions. “But users of current Android versions should be concerned; This Android threat can infect a wide range of Android versions, from the oldest unsupported versions to the most recent.”
And that means that even if you’re running Android 14, you’ll need to keep patching your phone as security updates are released regularly. Just this month, we saw Google address a Pixel vulnerability for which a targeted exploit had been found in the wild. When it comes to Android and malware, we are in a no-risk territory.
The team caught the Rafel RAT carrying out remote surveillance, data exfiltration and ransomware, ‘tricking’ victims into downloading apps from outside Google’s Play Store ecosystem, apps that mimic popular social media services, including some of the biggest, best-known brands. Simply put, sideloading apps onto a phone running an outdated version of Android is like playing Russian roulette with multiple bullets in the gun: the chances of getting stuck are dangerously high.
Rafel’s RAT menu of threats
The social engineering behind these attacks is based on the type of counterfeiting we see more and more these days: impersonating popular apps to induce an installation. Apps imitated by the Rafel RAT include WhatsApp and Instagram, which will be installed on most targeted devices. Once installed, the RAT requests various permissions to access sensitive apps and services, including contacts, call logs and – crucially – text messages, allowing the RAT to bypass 2FA security measures.
The RAT is programmed to retrieve contact lists, text messages, device information, location data and screenshots and send them to the control server. But it can also wipe data from the phone, display fraudulent system messages, delete files and folders, retrieve data and files stored on the device and forward them to the administrators.
Check Point advises users to “be cautious of links and applications sent from unknown senders or applications downloaded from unknown websites.” For anyone concerned that they’ve downloaded something they shouldn’t, the team suggests that “users should keep an eye out for unusual behavior on their device, such as unexpected battery drain, increased data usage, or the presence of unknown apps. ”
One of the main differences between Android and the iPhone has always been the flexibility to sideload apps from third-party stores and the web. And restricting those freedoms will not turn out well. But this remains the most likely source of malware infections.
Given all this, it’s no surprise that Google is making it increasingly difficult for bad actors to trick users into installing dangerous apps. The Play Protect is expanding with Android 15 to live scan app behavior to flag problems even if it hasn’t seen a particular variant of malware before, and it just unveiled a new biometric/PIN requirement to get a to install the app at all. can be high risk.
None of this will help a user with an older, unsupported phone. And the scale of that problem is staggering. Bitdefender suggests that “nearly a third of the world’s smartphones running Android will be running an outdated, unsupported operating system. When a new vulnerability emerges, the first piece of advice is always the same, regardless of the platform: apply the latest security patches as soon as possible. However, for Android devices with operating systems that have reached end of life, this is not an option.”
That’s more than a billion devices, and Bitdefender warns that “attackers know the statistics.” So while the golden rules apply to everyone, they apply doubly if you’re playing the dangerous game of putting personal data on an unsupported phone:
- Stick to official app stores. Don’t use third-party stores or change your device’s security settings to allow an app to load.
- Check the developer in the app description. Is this someone you would like to have in your life? And check the reviews: do they look legit or farmed?
- Don’t give permission to an app that doesn’t need it: Torches and stargazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you need to.
- Never ever click links in emails or messages that directly download apps or updates. Always use app stores for installations and updates.
- Don’t install apps that link to established apps like WhatsApp unless you are sure they are legitimate. Check reviews and online articles.