In its latest research report, Check Point Research (CPR) reveals that multiple threat actors are using Rafel, a powerful open-source remote access trojan (RAT), targeting Android devices for espionage and covert intelligence operations. What’s worse: There are over 3.9 billion Android devices exposed to this threat.
One of the adversaries exploiting this RAT is APT-C-35 / DoNot Team, which used Rafel RAT for covert operations, benefiting from its remote access, surveillance, data exfiltration, and persistence mechanisms.
The DoNot Team is known for targeting Android devices. In November 2020, the group targeted Google Firebase cloud messaging to spread Android malware. In October 2021, Amnesty International blamed the DoNot Team for a malware attack against Togolese activists, attributing the attack to the Indian cybersecurity firm Innefu Labs after identifying one of the IP addresses used in the attack.
As for the latest attack, CPR collected multiple malware samples and identified 120 command and control servers. Surprisingly, Samsung phones were the most impacted devices and the US, China, and Indonesia were the most targeted countries.
“The majority of victims had Samsung phones, with Xiaomi, Vivo, and Huawei users comprising the second-largest group among the targeted victims,” CPR’s report read.
This could be due to the sheer popularity of these brands, making them a wider target base for attackers.
Over 87% of affected victims were running outdated Android versions that no longer receive security updates. These outdated systems lack critical security patches, making them easier targets for malware exploitation. Most impacted are Android 11 users, followed by Android versions 8 and 5 users.
While Windows bots consistently cause high Windows XP infections, despite reaching its End of Life in 2014, Android devices also suffer from this issue. CPR has examined three specific cases: ransomware operations, leaked Two-Factor Authentication messages, and Rafel command and control on a hacked Pakistani government website, revealing the prevalence of these threats.
John Bambenek, President at Bambenek Consulting commented on the recent development stating, “Fundamentally, mobile malware comes in the form of malicious applications that users have to be tricked into installing. Google has gotten pretty good about making sure none of these apps get on the Play Store, or at least stay there very long. Users should never install applications based on a text message. That said, this also highlights the importance of persistently applying updates to your mobile phone to ensure you’re running the latest versions.“
Nevertheless, CPR’s research shows the need for continuous caution and proactive security measures to protect Android devices from malicious exploitation and the importance of a multi-layered approach to mobile security. Therefore, always install apps from trusted sources like Google Play Store, avoid third-party apps, and check app permissions and reviews to stay safe on Android.
RELATED TOPICS
- Android Malware Poses as WhatsApp, Instagram to Steal Data
- Fake govt COVID-19 tracking app spreads Android ransomware
- Antidot Android Malware Poses as Google Update to Steal Funds
- LG Smart TV Screen Bricked After Android Ransomware Infection
- Microsoft warns of new Android ransomware blackmailing victims
