Multiple threat actors, including cyber espionage groups, are employing an open-source Android remote administration tool (RAT) called Rafel RAT in malicious campaigns targeting Android devises. The RAT is being spread under the guise of popular apps like Instagram, WhatsApp, various e-commerce platforms, and antivirus software, Check Point Research said.

Previously, Check Point spotted the threat actor tracked as APT-C-35, also known as DoNot Team, utilizing the Rafel RAT in its campaigns. The tool's features, such as remote access, surveillance, data exfiltration, and persistence mechanisms, make it a potent instrument for covert operations and infiltration of high-value targets.

Check Point said it observed around 120 distinct malicious campaigns using Rafel RAT, some of which successfully compromised high-profile organizations, including those in the military sector. While the majority of targeted victims were from the United States, China, and Indonesia, the attacks spanned a wide geographical range. Most victims had Samsung phones, followed by users of Xiaomi, Vivo, and Huawei devices. Notably, many affected victims used Google devices (Pixel, Nexus), Samsung Galaxy A & S Series, and Xiaomi Redmi Series.

Android 11 was the most prevalent version among the targeted devices, followed by versions 8 and 5. Interestingly, more than 87% of the victims were running outdated Android versions no longer supported with security fixes, making them particularly vulnerable.

Rafel RAT has been used in numerous phishing campaigns, as well as ransomware operations, Check Point said in a report. The malware, disguised as legitimate applications, seeks necessary permissions upon initiation and may request to be added to the allowlist to ensure persistence. Some variants request permissions for notifications or device admin rights, while others ask for minimal sensitive permissions such as SMS, call logs, and contacts to remain undetected.

Once activated, the malware deploys a background service that generates a deceptive notification while operating covertly. It also initiates an internal service to manage communications with the command-and-control (C&C) server, varying commands depending on the specific malware variant. Initially, the malware could send quick messages through the Discord API, notifying attackers of new victims and enabling swift data extraction.

During the analysis, several protective mechanisms were uncovered, including string encryption, packer usage, and anti-evasion techniques designed to disrupt automated analysis pipelines or render certain tools ineffective.