[Update: Google responds] Rafel RAT ransomware attacks target outdated Android phones

UPDATE: Google says Google Play Protect automatically blocks the Rafel RAT malware that threat actors are allegedly using for ransomware attacks on outdated Android phones. The company’s protective measures also work on Android apps sideloaded from outside sources, not just the Play Store. Google claims it constantly updates its protections to stay ahead of threat actors, implementing protections for new malware as soon as it becomes aware through third-party security research.

“Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson said in an emailed statement to Android Headlines.

ORIGINAL ARTICLE: If your Android phone no longer receives security updates, you are at an increased risk of ransomware attacks. Security researchers have discovered several malware campaigns primarily targeting outdated Android devices. It employs an open-source Android malware named “Rafel RAT”. Even flagship models, such as Samsung’s Galaxy S lineup, are vulnerable.

New ransomware campaigns targeting outdated Android phones with Rafel RAT

Rafel RAT is a powerful open-source malware tool with excellent techniques to avoid detection. It provides malicious actors with a remote administration and control toolkit that allows them to perform various malicious activities on an infected device. From data theft and surveillance to device manipulation, it facilitates all kinds of remote attacks, making it a popular choice among threat actors.

Security researchers Antonis Terefos and Bohdan Melnykov of Check Point recently identified over 120 Android malware campaigns using Rafel RAT. Some of the campaigns are run by well-known threat actors, including APT-C-35 (aka DoNot Team, Brainworm, and Origami Elephant). Lesser-known attackers are behind the others, with most of them originating in Pakistan and Iran.

The research firm says most of the victims were located in the United States, China, and Indonesia. However, the malware campaigns also infested Android devices in India, Australia, France, Germany, Italy, Russia, and several other countries. The attackers primarily targeted devices running Android 11 or older. Those phones have stopped receiving security updates and are vulnerable to known flaws.

According to Check Point, over 87.5% of all affected devices were on Android 11 or an older version. Android 5 and Android 8 devices accounted for 17.9% of attacks each—the most. Some affected devices were on Android 4. This makes us wonder how long people are holding onto their phones. Android 4 came in 2011 and no longer supports Google Play Services, let alone get security updates.

As far as smartphone brands are concerned, it’s a mix of all popular companies. Samsung devices saw the most number of attacks, but this could also be reflective of it being the largest vendor. The Korean firm makes more phones than any other brand and has long been at the top of the pile. Xiaomi, Vivo, and Huawei devices comprised the second-largest group among the targeted victims.

Avoid installing apps from unknown sources

Cybercriminals distribute Rafel RAT through various means. However, in most cases, users download it via malicious APKs disguised as popular social media and messaging apps, including Instagram and WhatsApp. Threat actors also impersonate e-commerce platforms and antivirus apps to distribute the malware. Upon installation, it asks for a wide range of permissions to access everything on the phone.

Attackers can remotely watch it all and decide the next step. Check Point’s analysis revealed that the attackers issued the ransomware command in roughly 10% of the cases. Rafel RAT’s ransomware module encrypts the affected phone’s files using a pre-defined ARS key, giving the attackers full control over the device. They can also remotely change the device’s password to lock the user out.

The research firm says these Rafel RAT Android ransomware campaigns “successfully targeted high-profile organizations, including the military sector.” This is alarming and tells you a lot about the risks associated with using outdated devices and installing apps from unknown sources. You should always download apps from official sources such as the Google Play Store, Samsung Galaxy Store, or the official developer website.