English
Cybercriminals are expanding their attack area by the day. The National Directorate of Cyber Security (DNSC) sent an alert aimed at Android users. Rafel Remote Access Tool (RAT) gives attackers the ability to remotely manage infected devices without their owners being aware of its presence. According to DNSC, the malware can avoid detection for extended periods, which increases its effectiveness in attacks. Recently, it was reported to be present in Romania as well "Rafel RAT represents a major cyber threat, which can be used for espionage and sophisticated ransomware attacks. Its evolution from a simple spying tool to a multifunctional malware reflects its adaptability and the danger it represents to users of Android operating system devices," DNSC said in the alert. According to specialists, the application was initially developed in 2021 and distributed for free via GitHub, being taken over and developed including by Advanced Persistent Threat (APT) groups. Rafel RAT quickly gained notoriety among cybercriminals due to its extensive capabilities and ease of use, generating serious concerns for both Android platform users and cybersecurity experts. According to DNSC: "It has been used in numerous cyber attacks in various regions, with an emphasis on financial fraud and corporate espionage. Rafel RAT was originally developed and distributed to gain access to sensitive data on infected Android devices, such as SMS messages, call logs, contacts, stored passwords, locations and media files. The malware was later adapted to carry out ransomware attacks, encrypting users' files and demanding ransoms to unlock them." According to specialists, most of the victims of these attacks used Samsung, Xiaomi, Vivo and Huawei phones, and 87.5% of the devices used had an outdated Android operating system that no longer benefited from security updates. DNSC also points out: "The last campaign, carried out in 2024, targeted high-ranking entities, in a very wide geographical area, including Australia, China, France, Germany, Italy, Pakistan, Romania, and the USA. In some attacks, victims were convinced to install the RAT by means of well-known applications (such as Black WhatsApp, Story Saver for Instagram, etc.), support applications or antivirus solutions. In other cases, the attacks took place through emails that used social engineering techniques to convince recipients to open attached documents or access infected websites, thus installing the malware on their devices. None of these attacks require root access, so they operate successfully on devices with unmodified operating systems."
According to specialists, Rafel RAT works very well on Android 12 and earlier versions, but successful attacks have also been recorded on devices with Android version 13. Distribution methods (attack vectors): "Phishing emails: Cybercriminals often use carefully crafted emails that appear to be from legitimate sources, containing links or attachments that, when accessed, lead to the installation Raphael RAT. Malicious websites: Users can be tricked into visiting compromised or fake websites that exploit vulnerabilities in the Android system or use social engineering techniques to convince users to download malware. Fake applications: Rafel RAT is frequently disguised as a legitimate application, such as system updates, popular games or utility applications. They are distributed through unofficial app stores or direct download links. SMS and social media accounts: Attackers can use text messages or social media platforms to spread links to infected apps or websites. Installation Mode Once the malicious application is downloaded, it requests an extensive set of permissions from the user. These permissions often include access to contacts, SMS, call logs, camera, microphone, storage and location data. Malware can use deceptive tactics to convince users to grant these permissions, such as the fact that they are necessary for the functionality of the application."
Capabilities and functionality: "Data theft: Rafel RAT can access and extract a wide range of sensitive data, such as: contacts, SMS messages (including 2FA codes), call logs, browsing history, stored passwords, financial information. Audio and video recording: The malware can silently activate the device's microphone and camera to record the user's actions and surroundings. Screenshots: Can take screenshots of the device, potentially extracting sensitive information such as credentials (username, passwords, PINs). Access to files: Rafel RAT can browse and download files stored on the device, including photos, documents and backups. GPS Tracking: Malware can monitor and report device location in real time. Remote control: Attackers can use Rafel RAT to execute commands on the infected device by installing additional malware modules or performing unauthorized actions. Keylogging: Can record keystrokes, capturing passwords and other sensitive data. Application manipulation: Rafel RAT can launch applications, change application settings and even uninstall security software. Extensive compatibility: Support for Android versions from v5 to v13, covering a wide range of vulnerable devices. Avoid detection: Avoid detection by PlayProtect and other mobile security solutions".
Specialists recommend the implementation of the following basic cyber security measures: "Increasing vigilance is the main asset at any time available to an ordinary user. Be careful when checking incoming e-mails, especially those containing suspicious attachments or links! Download applications only from trusted sources, using only official stores such as the Google Play Store. Carefully review the app permissions requested when installing or updating, and be wary of apps that ask for excessive or unnecessary permissions. Scan suspicious links or attachments with a security solution installed on your device or with one available for free online. Don't forget to apply the updates for these security solutions on time! To effectively protect against ransomware, you must focus primarily on its main gateway: email communication. These are often hidden in the form of apparently legitimate files that allow attackers to access the system and run programs to exfiltrate and/or encrypt files on compromised devices. Urgently update operating systems, anti-virus programs, web browsers, e-mail clients and other utility programs. Conduct regular training sessions with staff. These are necessary both for awareness/prevention and to know what to do in cases where cyber security incidents occur, so that they are managed effectively".
Specialists recommend contacting the National Directorate of Cyber Security (DNSC), if there are suspicions that devices have been compromised or you are the subject of a cyber attack.
Euro
Dolar SUA
Franc elveţian
Liră sterlină
Gram de aur
