An open-source Android malware named 'Ratel RAT' is widely deployed by multiple cybercriminals to attack outdated devices, some aiming to lock them down with a ransomware module that demands payment on Telegram.
Researchers Antonis Terefos and Bohdan Melnykov at Check Point report
detecting over 120 campaigns using the Rafel RAT malware.
Known threat actors conduct some of these campaigns, like APT-C-35 (DoNot Team), while in other cases, Iran and Pakistan were determined as the origins of the malicious activity.
As for the targets, Check Point mentions successful targeting of high-profile organizations, including in government and the military sector, with most victims being from the United States, China, and Indonesia.
In most of the infections Check Point examined, the victims ran an Android version that had reached the end of life (EoL) and was no longer receiving security updates, making it vulnerable to known/published flaws.
That is Android versions 11 and older, which accounted for over 87.5% of the total. Only 12.5% of infected devices run Android 12 or 13.
As for targeted brands and models, there's a mix of everything, including Samsung Galaxy, Google Pixel, Xiaomi Redmi, Motorola One, and devices from OnePlus, Vivo, and Huawei. This proves Ratel RAT is an effective attack tool against an array of different Android implementations.
