Rafel RAT is an open-source Android remote administration tool that threat actors, including cyber espionage groups, are using to masquerade as popular apps like Instagram and WhatsApp. With powerful features such as data theft, device manipulation, and even ransomware capabilities, it poses a significant threat to Android users. Check Point has identified over 120 malicious campaigns targeting high-profile entities in countries like the U.S., China, and India. Victims, primarily using Samsung phones, are tricked into downloading malware-laced apps through social engineering tactics. Rafel RAT uses HTTP(S) for command-and-control communications and can also exploit Discord APIs to contact threat actors. Its widespread use in various illicit activities underscores the importance of proactive security measures to protect Android devices from exploitation. This evolving Android malware landscape demands constant vigilance to prevent malicious attacks.