Rafel RAT: Seizing Control and Encrypting Your Android Devices

Android, the widely embraced mobile operating system created by Google, serves as the backbone for billions of smartphones and tablets globally. Known for its versatility and open-source design, Android grants users extensive customization options and access to a vast selection of applications via platforms such as the Google Play Store.

However, this openness also brings substantial security risks, especially from Android malware like viruses, Trojans, ransomware, spyware, and adware. These threats endanger user privacy, device security, and personal data integrity through app downloads, malicious websites, phishing attacks, and system vulnerabilities.

The dynamic evolution of Android malware poses ongoing challenges for users, developers, and cybersecurity experts. As attackers utilize increasingly sophisticated techniques to avoid detection and infiltrate devices, understanding the nature of Android malware, how it spreads, and implementing effective prevention strategies is crucial.

What is Rafel RAT

Rafel RAT, an open-source malware tool designed for Android, enables remote administration by malicious actors, facilitating activities such as data theft, complete device control, and locking the phone for ransom.

Rafel is Remote Access Tool Used to Control Victims Using WebPanel With More Advanced Features - Rafel Admin

Features of Rafel RAT

Utilized by Threat Actors: Rafel RAT Operations

Check Point researchers have issued a warning about the Rafel RAT, an open-source malware targeting outdated Android devices. In certain instances, hackers attempt to lock devices using ransomware and demand payment through Telegram.

Analysts have observed Rafel RAT being deployed in over 120 malicious campaigns across numerous countries globally, with a significant impact on victims in the USA, China, Indonesia, and affecting Russia as well. Some attacks have been linked to established hacking groups like APT-C-35 (DoNot Team), while others originate from unidentified actors, originating from Iran and Pakistan.

Infected Devices per country

In the majority of the attacks analyzed by Check Point, victims were found to be using outdated versions of Android that had reached end-of-life status, rendering them ineligible for security updates. Specifically, Android 11 and earlier versions comprised over 87.5% of the total infections, while devices running Android 12 or 13 accounted for a mere 12.5% of the affected devices.

Android Versions

Interestingly, Samsung phones constituted the largest group of victims, with Xiaomi, Vivo, and Huawei users comprising the second-largest group. This trend reflects the popularity of these brands in global markets.

Victim Devices

While some brands had higher infection rates, a wide variety of models were affected. Check Point categorized these models by their respective series. Analysis also revealed that many victims owned Google devices (Pixel, Nexus), Samsung Galaxy A & S Series, and Xiaomi Redmi Series.

Top Models.

Over 87% of the affected victims are using outdated Android versions that have reached end-of-life status, thereby no longer receiving critical security updates. It's easy for attackers to target these phones due to their lack of ongoing security support.

Versions TimeLine

Working Mechanism

Rafel RAT is commonly spread through deceptive means, often using trusted brands like Instagram, WhatsApp, popular e-commerce platforms, and antivirus apps to trick users into downloading malicious APKs.

Once installed, the malware requests extensive permissions, such as running in the background and bypassing battery optimization settings. These permissions allow Rafel RAT to operate unnoticed, making it harder to detect and remove.

Rafel Activity.

The malware adjusts by requesting different permissions—like Notifications, Device Admin rights, or minimal sensitive permissions such as SMS, Call Logs, and Contacts—to avoid detection. Once activated, it runs silently in the background, displaying a misleading notification. Meanwhile, it sets up an InternalService to communicate with its command-and-control (C&C) server.

Communication happens over HTTP(S) protocols, beginning with the initial client-server interaction phase. Here, the malware sends device information like identifiers, characteristics, location, model details, and operator specifics. It then requests commands from the C&C server to carry out tasks on the device.

Request to C&C with device information.
Malware asks C&C for the commands to execute

The table below outlines the fundamental commands found in the original malware sources, which may vary depending on the specific Rafel RAT version, as identified by researchers.

Among the most critical functionalities are:

  • ransomware: Initiates file encryption on the device.
  • wipe: Deletes all files within a specified path.
  • LockTheScreen: Renders the device screen unusable by locking it.
  • sms_oku: Sends all SMS messages, including two-factor authentication codes, to the management server.
  • location_tracker: Sends device location data to the management server.

Ransomware Operations with Rafel RAT

According to researchers, ransomware was involved in approximately 10% of attacks, where hackers encrypted files on the device using a predefined AES key and demanded ransom from victims.

File Encryption Function

Check Point analysts observed multiple Rafel RAT operations, notably an attack originating from Iran. Initially, the attackers conducted reconnaissance using other capabilities of Rafel RAT before activating the encryption module. They erased call history, changed the wallpaper to display their message, locked the screen, activated the device’s vibration, and sent SMS messages demanding ransom. Victims were instructed to contact the hackers via Telegram to resolve the issue.

Ransom Note

2FA Exploitation by Rafel RAT

Check Point researchers have uncovered several cases where Rafel RAT has intercepted 2FA messages, enabling potential bypasses of two-factor authentication (2FA). By compromising OTP (one-time passwords), malicious actors can evade additional security measures and gain unauthorized access to sensitive accounts and information.

2FA Message
OTP Message

In a recent incident, Check Point researchers discovered a threat actor successfully hacking into a government website from Pakistan. The actor proceeded to install the Rafel web panel on the compromised server, establishing a command and control (C&C) center where infected devices reported their status and activities.

Rafel RAT Hosted on Pakistan’s government server.


In conclusion, Rafel RAT demonstrates the evolving threat of Android malware with its open-source flexibility and broad use in malicious activities. Protecting against such threats requires avoiding dubious downloads, refraining from clicking on suspicious links in emails and messages, and verifying applications with Play Protect. A comprehensive cybersecurity strategy—including threat intelligence, strong endpoint protection, user education, and industry collaboration—is crucial to effectively countering these evolving threats.


  1. https://research.checkpoint.com/2024/rafel-rat-android-malware-from-espionage-to-ransomware-operations

Cybersecurity Researcher

Schedule a Pentest:

Penetration Testing

Start a Free Trial:

Vulnerability Scanner