Hackers are exploiting vulnerabilities in outdated Android devices using open-source Ratel RAT malware, which combines ransomware and surveillance functions.
Ratel RAT Threat
Malware Overview
Cybercriminals have launched massive attacks targeting outdated Android smartphones using open source Ratel RAT malicious tool. This malware combines the functionality of ransomware with the capabilities of spyware, encrypting or deleting data, locking the screen and demanding ransom in the Telegram messenger.
Scope of the threat
Experts from Check Point have identified over 120 campaigns using Ratel RAT, coming from well-known hacker groups, including APT-C-35 (DoNot Team) and groups from Iran and Pakistan. Their targets are high-ranking organizations, mainly in the government and military spheres. The largest number of victims was recorded in the USA, China and Indonesia.
Vulnerable versions of Android
According to the study, the majority of affected devices (87.5%) are using outdated versions of Android 11 and older that no longer receive security updates. Only 12.5% of infected gadgets are running relatively recent Android 12 or 13. Victims include smartphones from various manufacturers, including Samsung, Google, Xiaomi, Motorola, OnePlus, Vivo and Huawei, which demonstrates the universal effectiveness of Ratel RAT against a wide range of Android implementations .
Distribution methods
Hackers use a variety of malware distribution methods, such as Instagram, WhatsApp , e-commerce platforms, and even antivirus apps to trick users into downloading infected APK files. When installing Ratel, RAT requests broad permissions to run in the background.
Ratel RAT functionality
Ratel RAT has several variants that differ in the set of supported commands. They typically perform the following actions:
- Encrypting files on the infected device (ransomware).
- Deleting files at specified paths (wipe).
- Lock the screen, making the device unusable (LockTheScreen).
- Interception of SMS messages, including two-factor authentication codes (sms_oku).
- Device location tracking (location_tracker).
Attack Management
Attackers control Ratel RAT activities through a central control panel where they can obtain device information, monitor status and make decisions about the next steps of the attack. In about 10% of cases, the hackers commanded the ransomware to run, resulting in files on the victim's smartphone being encrypted using the AES algorithm, after which a ransom was demanded.
Glossary
- Check Point - Israeli company specializing in cybersecurity.
- APT-C-35 (DoNot Team) - Hacker group allegedly associated with the Iranian government.
- Ratel RAT - Open source malware that combines ransomware and spyware features.
- AES - Widely used symmetric encryption algorithm.
Links
Answers to questions
What is Ratel RAT and how does it attack Android devices?
What features does the Ratel RAT have and how is it controlled?
Which devices are at risk of Ratel RAT infection?
Who is behind the spread of Ratel RAT and who are the victims?
How can you protect yourself from Ratel RAT attacks?
Hashtags
Save a link to this article
Discussion of the topic – Ratel RAT ransomware attacks old Android smartphones – protect your data!
Cybercriminals use Ratel RAT malware to encrypt data on older Android devices and demand ransom via Telegram. This article will tell you how to recognize and prevent such attacks.
Latest comments
8 comments
Write a comment
Your email address will not be published. Required fields are checked *
Михаил
It's terrible, these hackers don't spare anyone🧐 Attacks on old Android devices with malicious Ratel RAT are too much. Not only do they encrypt data and demand ransom😡, but they also monitor SMS and location! My Xiaomi Redmi is old, they will probably get to me too😨
Аннабель
Yeah, the situation is tense 😳 I’m also worried about my Samsung Galaxy. It's good that I updated to Android 13, otherwise I would have been an easy target for the Ratel RAT, since it targets older versions of the OS. But it’s still creepy when attackers penetrate so deeply into our devices🥶
Фрэнк
Yes, everything will be fine, don’t get so excited 😎 I install an antivirus and switch to Telegram, there is less chance of running into an infection 🦾 Although these Ratel RAT distributors are cunning, they lure and install malware through different applications and platforms. With a couple of Redneck Security I'm ready to fight them off💪
Елена
Frank, don't relax👀 These Ratel RATs are a sophisticated threat that also targets military and government organizations🕵️♂️ This means that cybercriminals have great resources and sponsors like APT-C-35. You can’t take them by ordinary means, experts need to be involved🤖
Иван
So much for progress, no matter where you spit🙄 And someone else argues that security updates are not important. It turns out that 87% of those infected did not update Android! Now they are victims of blackmail📵 Sometimes it’s better to stay in the good old days, at least no programs will extort money from you.
Джон
I had no idea that this was possible with Android😰 In my opinion, this is a serious signal from developers to finally provide proper protection against vulnerabilities. If even new versions like 12 and 13 are under threat, then what can we say about the rest 😩 I’m waiting for lawsuits from affected companies and users.
София
I couldn't agree more with John🧐 Cases like this undermine the credibility of Android and create a bad image for Google. I think they will take the security problem seriously, otherwise they will begin a massive exodus of users to iOS or other systems🏃♀️ Malware like Ratel RAT is a direct threat to their business.
Жак
And you are all dramatic over trifles🤷♂️ This is not the first and not the last threat to Android, but life did not stop because of it. Experts will shout, conspiracy theory lovers will make noise, and in a couple of weeks everyone will forget about it👻 Ratel RAT? I’ve never heard of this and I won’t live any longer🧟