Checkpoint Research (CPR) has identified a new Android threat that targets users across several major smartphone brands. The researchers note that a powerful Trojan named Rafel has been used by multiple cybercriminal groups to compromise devices from Samsung, Xiaomi, Vivo, and Huawei. This development raises concerns for a broad base of smartphone owners who rely on these brands in North America and beyond.
Rafel operates as a robust toolset that enables attackers to remotely control compromised devices. Once installed, the malware can perform a wide range of malicious tasks. Data can be stolen, and the normal behavior of the device can be altered in subtle or overt ways. In addition, the operators behind Rafel can completely wipe microSD cards, erase call history, intercept notifications, and even deploy ransomware-like actions to lock user access or demand payment for restored functionality.
Check Point notes that roughly 120 distinct malicious campaigns have leveraged this Trojan. The targets span a global map, with organizations and individuals in Russia, the United States, Australia, China, the Czech Republic, France, Germany, India, Indonesia, Italy, New Zealand, Pakistan, and Romania reported as affected. The breadth of this activity underscores how widespread and varied the campaigns can be.
Within the effected devices, Samsung smartphones represented the largest share of victims. Following them, users of Xiaomi, Vivo, and Huawei devices formed a substantial portion of the compromised population. An important technical detail is that at least 87.5 percent of the hacked devices were running older versions of Android that no longer receive security updates, leaving those systems more vulnerable to exploitation and less able to receive critical patches in a timely manner.
The threat landscape around Rafel aligns with broader warnings about mobile fraud and scams that leverage popular communications channels. Recent reports indicate a surge in scams via messaging platforms, where attackers may lure users into installing malicious apps or clicking on deceptive links. This combination of targeted device access and social engineering elevates the risk for users who maintain outdated software or do not apply updates promptly. In response, security researchers advise users to practice vigilant app installation habits, keep devices up to date, and enable built-in protections that can detect unusual app behavior and unauthorized data access. Citations from Check Point Research provide the core findings and timeline for these campaigns, helping security teams and informed users understand the scale and mechanics of the threat.