Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Experts Warn of New RatMilad Android Spyware Targeting Enterprise Devices

A novel Android malware called RatMilad has been observed targeting a Middle Eastern enterprise mobile device by concealing itself as a VPN and phone number spoofing app.

The mobile trojan functions as advanced spyware with capabilities that receives and executes commands to collect and exfiltrate a wide variety of data from the infected mobile endpoint, Zimperium said in a report shared with The Hacker News.

Evidence gathered by the mobile security company shows that the malicious app is distributed through links on social media and communication tools like Telegram, tricking unsuspecting users into sideloading the app and granting it extensive permissions.

The idea behind embedding the malware within a fake VPN and phone number spoofing service is also clever in that the app claims to enable users to verify social media accounts via phone, a technique popular in countries where access is restricted.

“Once installed and in control, the attackers could access the camera to take pictures, record video and audio, get precise GPS locations, view pictures from the device, and more,” Zimperium researcher Nipun Gupta said.

Other features of RatMilad, which is spread through apps named Text Me and NumRent, make it possible for the malware to amass SIM information, clipboard data, SMS messages, call logs, contact lists, and even perform file read and write operations.

Zimperium hypothesized that the operators responsible for RatMilad acquired source code from an Iranian hacker group dubbed AppMilad and integrated it into a fraudulent app for distributing it to unwitting users.

The scale of the infections is unknown, but the cybersecurity company said it detected the spyware during a failed compromise attempt of a customer’s enterprise device.

A post shared on a Telegram channel used to propagate the malware sample has been viewed over 4,700 times with more than 200 external shares, indicating a limited scope.

“The RatMilad spyware and the Iranian-based hacker group AppMilad represent a changing environment impacting mobile device security,” Richard Melick, director of mobile threat intelligence at Zimperium, said.

“From Pegasus to PhoneSpy, there is a growing mobile spyware market available through legitimate and illegitimate sources, and RatMilad is just one in the mix.”

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

Researcher create polymorphic Blackmamba malware with ChatGPT

Researcher create polymorphic Blackmamba malware with ChatGPT

The malware can target Windows, macOS and Linux devices. HYAS Institute researcher and cybersecurity expert, Jeff Sims, has developed a…
Owner of Breach Forums Pompompurin Arrested in New York

Owner of Breach Forums Pompompurin Arrested in New York

Pompompurin has been charged with a single count of conspiracy to commit access device fraud. Conor Brian Fitzpatrick (aka Pompompurin,…
New Vishing Attack Spreading FakeCalls Android Malware

New Vishing Attack Spreading FakeCalls Android Malware

The attack scheme begins with the FakeCalls malware masquerading as an online banking application of a reputable South Korean financial…