Have you updated the software on your Samsung, Pixel or Xiaomi phone recently? If not, you may want to look away now. The cyber team at Check Point has just released a new report warning of just how big a risk you’re taking and urging you to update.
The team says it has tracked the Rafel RAT across the United States, Great Britain, China, Indonesia, Russia, India, France and Germany and detected 120 dangerous campaigns over the past two years — another reminder, they warn, ” how Open Source Malware Technology can cause significant damage, especially when targeting large ecosystems like Android, with over 3.9 billion users worldwide.”
And this RAT is particularly bad – it’s definitely not something you want on your phone, snooping through all your personal data, sending whatever it likes back to its owners without you realizing – at least not until it’s too late. “Our findings,” says Check Point, “pointed out that most of the victims had Google (Pixel, Nexus), Samsung Galaxy A & S Series and Xiaomi Redmi Series. But many other devices were also affected.
“It’s essential to keep your devices up to date with the latest security patches or replace them if they no longer receive them,” says Check Point’s Alexander Chailytko. “Prominent threat actors and even APT groups are always looking for ways to exploit their operations, especially with available tools like the Rafel RAT, which can lead to critical data exfiltration, exposed authentication codes with two factors, surveillance efforts and covert operations. .”
Rafel targets phones with non-Play Store installs. And while Google is adding better protections around these “non-Play apps,” the scale of the problem is huge; has reported that its new real-time code-level scanning “has already detected over 5 million new, malicious apps outside of Play, which help protect Android users around the world.”
Some of these threats are clearly more dangerous than others. “Rafel possesses all the essential features needed to execute extortion schemes effectively,” Check Point says. “When malware obtains device administrator privileges, it can change the lock screen password [and] prevent malware from being uninstalled. If a user tries to revoke administrator privileges from the app, it immediately changes the password and locks the screen, preventing any attempts to intervene.”
Check Point reports that 87% of all infections it detected were on phones with older, unsupported versions of Android. “But users of current Android versions should be concerned; this Android threat is capable of infecting a wide range of Android versions, from the oldest unsupported versions to the latest ones.”
And that means even if you’re running Android 14, you should keep your phone patched as regular security updates are released. Just this month, we saw Google address a Pixel vulnerability for which a targeted exploit had been found in the wild. When it comes to Android and malware, we’re in risk-free territory.
The team caught the Rafel RAT performing remote surveillance, data exfiltration and ransomware, with victims “tricked” into downloading apps from outside the Google Play Store ecosystem, apps that mimic popular social media services, including some from the biggest, most popular brands. In the simplest terms, loading side applications on a phone with an outdated version of Android is like playing Russian roulette with many bullets in the gun – the chances of getting unlocked are extremely high.
The social engineering behind these attacks relies on the spoofing we’re seeing more and more of these days—impersonating popular apps to induce an install. Apps imitated by Rafel RAT include WhatsApp and Instagram, which will be installed on most of the targeted devices. Once installed, the RAT requests various permissions to access sensitive applications and services, including contacts, call logs and, critically, text messages, which enable the RAT to bypass 2FA security measures.
The RAT is programmed to receive contact lists, SMS messages, device information, location data, screenshots and send them to its control server. But it can also erase data from the phone, display deceptive system messages, delete files and directories, and retrieve data and files stored on the device and forward it to its owners.
Check Point advises users to “be wary of links and applications sent from unknown senders or applications downloaded from unknown websites.” For anyone worried they may have downloaded something they shouldn’t, the team suggests “users should look for unusual behavior on their device, such as sudden battery drain, increased data usage, or the presence of unknown apps.”
One of Android’s main differences with the iPhone has always been this flexibility to load apps from third-party stores and the web. And limiting these freedoms will not succeed. But this remains the most likely source of malware infections.
With that in mind, it’s no wonder Google is making it increasingly difficult for a bad actor to trick users into installing dangerous apps. Its Play Protect is being improved with Android 15 to directly scan app behaviors to flag problems even when it hasn’t seen a particular malware variant before, and it just discovered a new biometric/PIN requirement to install a app in the first place that can be high risk.
None of this helps a user with an old, unsupported phone. And the scale of this problem is staggering. Bitdefender suggests that “nearly a third of the world’s smartphones running Android will be running an outdated and unsupported operating system. Whenever a new vulnerability appears, the first piece of advice is always the same, regardless of platform: apply the latest security patches as soon as possible. However, for Android devices running end-of-life operating systems, this is not an option.”
That’s more than a billion devices, and Bitdefender warns that “attackers know the statistics.” So while the golden rules apply to everyone – they apply doubly if you’re playing the dangerous game of putting personal data on an unsupported phone:
- Stick to official app stores—don’t use third-party stores, and never change your device’s security settings to enable an app to load.
- Check out the developer in the app description – is it someone you’d want in your life? And check the reviews, do they look legit or cultured?
- Don’t give permission to an app that shouldn’t need it: torches and stargazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control if you don’t need to.
- never EVER click links in emails or messages that directly download apps or updates—always use app stores for installations and updates.
- Don’t install apps linked to fake apps like WhatsApp unless you really know they’re legit—check reviews and write-ups online.