About Rafel RAT malware (Android)

Users are warned to be cautious of the Rafel Remote Access Trojan (RAT) that targets Android devices. The malware allows its operators to completely access the infected device, steal data, access messages, intercept and access multi-factor authentication alerts, encrypt files, and lock the device. The malware is known to target high-profile individuals and organizations.

 

 

The Rafel Remote Access Trojan (RAT) is a malicious infection that targets Android devices globally, particularly in countries like the US, China, India, and Indonesia. The malware is being used by several cybercriminal groups and can be modified to suit specific needs. It has been used to target several high-profile organizations and entities.

The RAT infection has an alarming number of features and can cause very serious damage. It uses several different methods to get inside a device, including imitating a Telegram-based clicker game called Hamster Kombat. If it successfully infects a device, it will first request various permissions. Depending on which method is used to infect a device, the permission requests may look different. If users grant the permissions, the malware can start performing its malicious activities.

It will first collect information about the device, including device model, hardware details, battery information, root status, geolocation data, language settings, mobile operator, installed apps, etc. The malware may be able to avoid detection by imitating a legitimate app. It will also be set to start automatically upon system start, and will be able to bypass disablement when maintaining battery and operate in the background even when users close the app.

The Rafel RAT will be able to read the screen and interact with the keyboard by misusing the Android Accessibility Services, a feature meant to help users with disabilities use the device without issues. The trojan is able to steal and delete files and wipe the data on an SD memory card. It will also have access to contact lists and call logs, as well as be able to read and send SMS messages, make phone calls, and read and intercept notifications, allowing it to get multi-factor authentication codes.

Finally, it can act as ransomware. It may encrypt files and keep them hostage until users agree to pay. The trojan can change the device’s lock screen code, preventing users from accessing it. The lock screen would display the ransom note if the trojan’s ransomware capabilities were used.

Rafel ransomware is classified as a very serious infection because it can cause a lot of damage. Infection could result in stolen files, permanently lost data, identity theft, financial loss, privacy issues, and more.

How does Rafel RAT malware (Android) enter devices?

Depending on the cybercriminals operating it, Rafel RAT can be distributed in several ways.

It has been noticed that the trojan is disguised as legitimate apps like Instagram and WhatsApp, and promoted on third-party app stores and questionable download sites. Third-party app stores are notorious for hosting a lot of malicious apps because they are poorly regulated. A malicious app may infect thousands of users before it’s taken down. Thus, it’s recommended to avoid unknown app stores and stick to the Google Play Store. While the occasional malicious app does get past Google’s security measures, the chances of encountering malware on the Play Store are very low. Nonetheless, even when using the Play Store, always carefully inspect the apps before downloading them. Check the developer, read reviews, and go through the requested permissions.

When malicious actors target someone specific with this malware, they may use phishing and social engineering attacks. The attacks would likely be very sophisticated and difficult to identify. For example, if the malware was spread via email, the email would contain a lot of personal information to make it credible. However, sophisticated attempts are usually reserved for high-profile targets because they require a lot of effort. Nonetheless, all users should be careful with unsolicited emails and messages that contain links or attachments. Users should never click on unknown links or open unsolicited attachments. Users should also keep in mind that organizations and institutions like law enforcement, banks, tax agencies, etc., do not send messages with links.

It’s also possible to infect a device with Rafel RAT when downloading cracks and pirated content. All kinds of malware can be encountered on pirating sites, including free streaming and torrent sites. Users should keep in mind that pirating is not only content theft but can also be dangerous for users’ computers and data.

Finally, the Rafel RAT infection has been noted to be disguised as a Telegram-based clicker game Hamster Kombat. This game became very popular in 2024, primarily because it promises to give away cryptocurrencies in giveaways. The game got so popular fake versions started appearing, including one that’s actually the disguised Rafel trojan. The malicious version of the game is being distributed via unofficial Telegram channels. When users download it, it immediately asks for loads of permissions.

The permission requests should ring alarm bells for many users because of how intrusive they are. For example, the fake Hamster Kombar app requests to be set as the default SMS app, as well as complete access to notifications. To protect themselves from malicious apps hijacking their devices, users should always carefully consider why a particular app needs the permissions it requests. For example, why would a game app request to be set as the default SMS app? Or request complete access to notifications and their contents?