Update now warning for Samsung and other Android users because RAT strikes
Have you recently updated the software on your Samsung, Pixel or Xiaomi phone? If not, you might want to look away. Check Point’s cyber team just released a new report warning you of how much risk you’re taking and urging you to update.
The team says it has tracked the Rafel RAT in the United States, the United Kingdom, China, Indonesia, Russia, India, France and Germany, uncovering 120 malicious campaigns over the past two years — another reminder, they warn, “of how open-source malware technology can cause significant damage, especially when it targets large ecosystems like Android with more than 3.9 billion users worldwide.”
And this RAT is particularly nasty – it’s definitely not something you want to have on your phone, sifting through all your personal data, sending whatever it likes back to your carriers without you realizing it – at least not until it’s too late . “Our findings,” says Check Point, “underline that the majority of victims had Google (Pixel, Nexus), Samsung Galaxy A & S Series, and Xiaomi Redmi Series.” But many other devices were also affected.
“It is very important that your devices have the latest security patches, or replace them if they are no longer receiving them,” says Check Point’s Alexander Chailytko. “Prominent threat actors and even APT groups are always looking for ways to exploit their operations, especially with readily available tools like the Rafel RAT, which could lead to exfiltration of critical data, leaked two-factor authentication codes, attempted surveillance, and covert operations. .”
Rafel targets phones through non-Play Store installs. And while Google is adding better defenses around these “non-Play apps,” the sheer scale of the problem is huge; announced that its new real-time code-level scanning “has already detected more than 5 million new malicious apps outside of Play, helping to protect Android users around the world.”
Some of these threats are clearly more dangerous than others. “Rafel has all the essential features needed to effectively execute extortion schemes,” says Check Point. “Once the malware gains device administrator privileges, it can change the screen lock password [and] prevent malware from being uninstalled. If a user tries to revoke the application’s administrative privileges, it will immediately change the password and lock the screen, thus thwarting any attempts to intervene.”
Check Point reports that 87% of all infections it detected were on phones with older, unsupported versions of Android. “However, users of current Android versions should be concerned; this Android threat is capable of infecting a wide range of Android versions, from the oldest unsupported versions to the latest ones.”
And that means that even if you’re running Android 14, you need to keep your phone patched as regular security updates are released. Just this month, we saw Google address a Pixel vulnerability for which a targeted exploit was found in the wild. When it comes to Android and malware, we’re in a no-chance zone.
The team caught the Rafel RAT in remote monitoring, data exfiltration and ransomware, with victims being “tricked” into downloading apps outside of the Google Play store ecosystem, apps impersonating popular social media services, including some of the biggest and most well-known brands. The easiest way to load apps onto a phone with an outdated version of Android is like playing Russian Roulette with a few bullets in your gun – your chances of getting unstuck are dangerously high.
Rafel’s RAT threat offering
The social engineering behind these attacks relies on a spoof that we see more and more these days – impersonating popular apps to prompt installation. The apps Rafel RAT releases include WhatsApp and Instagram, which will be installed on most of the target devices. Once installed, the RAT requires various permissions to access sensitive apps and services, including contacts, call logs, and—critically—text messages, allowing the RAT to bypass 2FA security measures.
The RAT is programmed to retrieve contact lists, SMS messages, device information, location data, screenshots and send them to its control server. However, it can also erase phone data, display fraudulent system messages, delete files and directories, and retrieve data and files stored on the device and hand it over to its operators.
Check Point advises users to be wary of links and applications sent by unknown senders or applications downloaded from unknown sites. For anyone worried they may have downloaded something they shouldn’t have, the team suggests “users should look for unusual behavior on their device, such as unexpected battery drain, increased data usage, or the presence of unknown apps.”
One of the main differences between Android and the iPhone has always been the flexibility to download apps from third-party stores and the web. And curtailing those freedoms will not end well. However, this remains the most likely source of malware infections.
Given this, it’s no surprise that Google is making it increasingly difficult for a bad actor to trick users into installing dangerous apps. Its Play Protect is improved with Android 15 to live-scan app behavior and flag problems, though it hasn’t seen a particular variant of malware yet, and it just revealed a new biometric/PIN requirement for app installation. can be high risk.
None of this helps a user with an older unsupported phone. And the scale of this problem is staggering. Bitdefender suggests that “nearly one-third of the world’s Android smartphones will be running an outdated, unsupported operating system. Whenever a new vulnerability appears, the first piece of advice is always the same, regardless of platform: apply the latest security patches as soon as possible. However, this is not possible for Android devices with end-of-life operating systems.”
That’s more than a billion devices, and Bitdefender warns that “attackers know the statistics.” So while the golden rules apply to everyone – they doubly so if you’re playing the dangerous game of storing personal data on an unsupported phone:
- Stick to official app stores – don’t use third-party stores and never change your device’s security settings to allow an app to load.
- Look at the developer in the app description – is this someone you’d want in your life? And look at the reviews, do they look legit or farmed?
- Don’t give an app permissions it shouldn’t need: flashlights and stargazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that make it easier to control your device if you don’t need it.
- Never at all click on links in emails or messages that directly download apps or updates – always use app stores to install and update.
- Don’t install apps that link to established apps like WhatsApp unless you’re sure they’re legit – check reviews and online write-ups.