Android Ransomware Operation

Multiple threat actors, including cyber espionage groups, are employing an open-source Android remote administration tool called Rafel RAT to meet their operational objectives by masquerading it as Instagram, WhatsApp, and various e-commerce and antivirus apps.

"It provides malicious actors with a powerful toolkit for remote administration and control, enabling a range of malicious activities from data theft to device manipulation," Check Point said in an analysis published last week.

It boasts a wide range of features, such as the ability to wipe SD cards, delete call logs, siphon notifications, and even act as ransomware.


The use of Rafel RAT by DoNot Team (aka APT-C-35, Brainworm, and Origami Elephant) was previously highlighted by the Israeli cybersecurity company in cyber attacks that leveraged a design flaw in Foxit PDF Reader to trick users into downloading malicious payloads.

The campaign, which took place in April 2024, is said to have utilized military-themed PDF lures to deliver the malware.

Check Point said it identified around 120 different malicious campaigns, some targeting high-profile entities, that span various countries like Australia, China, Czechia, France, Germany, India, Indonesia, Italy, New Zealand, Pakistan, Romania, Russia, and the U.S.

Android Ransomware Operation

"The majority of victims had Samsung phones, with Xiaomi, Vivo, and Huawei users comprising the second-largest group among the targeted victims," it noted, adding no less than 87.5% of the infected devices are running out-of-date Android versions that no longer receive security fixes.

Typical attack chains involve the use of social engineering to manipulate victims into granting the malware-laced apps intrusive permissions in order to hoover sensitive data like contact information, SMS messages (e.g., 2FA codes), location, call logs, and the list of installed applications, among others.

Rafel RAT primarily makes use of HTTP(S) for command-and-control (C2) communications, but it can also utilize Discord APIs to contact the threat actors. It also comes with an accompanying PHP-based C2 panel that registered users can leverage to issue commands to compromised devices.


The tool's effectiveness across various threat actors is corroborated by its deployment in a ransomware operation carried out by an attacker likely originating from Iran, who sent a ransom note written in Arabic through an SMS that urged a victim in Pakistan to contact them on Telegram.

Android Ransomware Operation

"Rafel RAT is a potent example of the evolving landscape of Android malware, characterized by its open-source nature, extensive feature set, and widespread utilization across various illicit activities," Check Point said.

"The prevalence of Rafel RAT highlights the need for continual vigilance and proactive security measures to safeguard Android devices against malicious exploitation."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.