Zimperium, the mobile security platform purpose-built for enterprise environments, published details of a newly-discovered Android spyware family dubbed RatMilad.
The Zimperium zLabs research team uncovered the RatMilad spyware sample after a failed infection of an enterprise device in the Middle East protected by Zimperium’s on-device machine-learning malware engine.
Discovery of RatMilad spyware variant
The original variant of the previously unknown RatMilad spyware hid behind a VPN and phone number spoofing app called Text Me.
After identifying the RatMilad spyware, the zLabs team also discovered a live sample of the malware family hiding behind and distributed through NumRent, a renamed and graphically updated version of Text Me.
RatMilad spyware
The malicious actors have developed a product website advertising the app to believe it is legitimate
The RatMilad spyware has not been found in any Android app store. Evidence shows the Iranian-based hacker group AppMilad used links on social media and communications tools, including Telegram, to distribute and encourage users to sideload the fake toolset, and enable significant permissions on their device.
The malicious actors have also developed a product website advertising the app to socially engineer victims into believing it is legitimate.
Accesses multiple services
After a user enables the app to access multiple services, the novel RatMilad spyware is installed by sideloading, enabling the malicious actor behind this instance to collect and control aspects of the mobile endpoint.
The user is asked to allow almost complete access to the device, with requests to view contacts, phone call logs, device location, media, and files, as well as send and view SMS messages and phone calls. Once installed and in control, the attackers can access the camera to take pictures, record video, and audio, get precise GPS locations, and more.
Mobile security
“Though this is not like other widespread attacks we have seen in the news, the RatMilad spyware and the Iranian-based hacker group AppMilad represent a changing environment impacting mobile device security,” said Richard Melick, Director of Mobile Threat Intelligence at Zimperium.
He adds, “From Pegasus to PhoneSpy, there is a growing mobile spyware market available through legitimate and illegitimate sources, and RatMilad is just one in the mix. The group behind this spyware attack has potentially gathered critical and private data from mobile devices outside the protection of Zimperium, leaving individuals and enterprises at risk.”