Check Point Research has discovered that multiple threat actors, including APT-C-35 / DoNot Team, are utilizing the Rafel RAT malware in around 120 campaigns targeting over 3.9 billion Android devices worldwide.

These campaigns involve various malicious activities such as data theft, espionage, and ransomware attacks, with high-profile organizations, including military groups, being targeted.

Victims were primarily in the US, China, and Indonesia, with most using Samsung phones, followed by devices from Xiaomi, Vivo, and Huawei.

The malware is spread through phishing campaigns disguised as popular apps like WhatsApp and Instagram, affecting Android devices running unsupported versions, leaving them vulnerable to exploitation.

Rafel RAT allows attackers to access device information, intercept notifications, execute commands like deleting files, encrypting data, and changing device settings.

It also enables the stealing of contact details for identity theft and social engineering attacks, as well as running ransomware operations by obtaining DeviceAdmin privileges and altering lock-screen passwords.

To protect against these threats, users are advised to only install apps from trusted sources, avoid third-party apps, and regularly check app permissions and reviews.

Adopting a multi-layered approach to mobile security is crucial in safeguarding Android devices from the growing threat of malware attacks.

The Rafel RAT malware poses a significant threat to Android devices, emphasizing the importance of timely updates and security measures to prevent malicious attacks.