Search results for

All search results
Best daily deals

Affiliate links on Android Authority may earn us a commission. Learn more.

Here's one more reason to not install shady APKs

Rafel RAT can steal your data and execute extortion schemes. Here’s how you can protect your device from malicious APKs.

Published onJune 24, 2024

Google Play Store logo on smartphone stock photo.
Edgar Cervantes / Android Authority
  • Cybercriminals are using malware called Rafel RAT to attack outdated Android devices.
  • Rafel RAT is distributed through malicious APK files disguised as legitimate apps.
  • To stay protected, download apps only from the Google Play Store, scan them with Google’s Play Protect, and keep your Android OS updated to the latest version.

Cybercriminals and cyber espionage groups have been targeting outdated Android devices with Rafel RAT — an open-source malware — to steal data and carry out ransomware attacks. Researchers from cyber security company Check Point identified over 120 campaigns that used this malware to target Android devices.

The company also conducted a victim analysis, which indicated that targeted users were primarily based in the United States, Indonesia, and China. In terms of the devices used by the victims, the majority had Samsung smartphones. Other affected brands included Xiaomi, Vivo, and Huawei.

Check Point noted that although malware can operate on all versions of the operating system, Android 11 was prevalent on most affected devices, followed by Android 8 and 5. This indicates that those with outdated Android versions were most at risk of vulnerabilities introduced by unverified APKs. 

What does Rafel RAT actually do?

Cybercriminals are using popular social media platforms like Instagram as well as messaging apps like WhatsApp to distribute the Rafel RAT-based malware. The malicious APK files are disguised as legitimate applications, luring unsuspecting users into downloading and installing these files on their devices.

During installation, the malware requests access to a number of risky permissions. These permissions allow the malware to leak sensitive data, encrypt files, and lock the device’s screen, among other things. The ransomware command in Rafel RAT goes one step further and executes extortion schemes by taking control of the device and demanding payments via channels like Telegram.

How to stay protected from malware like Rafel RAT

The easiest way to keep your device malware-free is by vetting the source from which you download APK files. It’s best to only download apps from the official Google Play Store, as opposed to app links on third-party websites or messaging platforms. 

Another way to keep yourself from accidentally downloading malicious apps is to keep Google’s Play Protect feature enabled. You should also update your Android OS to the latest version regularly to ensure you have the latest security patches. 

Got a tip? Talk to us! Email our staff at You can stay anonymous or get credit for the info, it's your choice.
You might like