In order to spy on victims and collect data, a new Android spyware called “RatMilad” was found to target mobile devices in the Middle East.
Zimperium, a mobile security company, found the RatMilad spyware and warned that it might be used for cyber espionage, extortion, or to listen in on victims’ chats.
According to a recent analysis by Zimperium Labs that was provided with BleepingComputer before publication, “Similar to other mobile spyware we have encountered, the data taken from these devices might be used to access secret corporate networks, blackmail a victim, and more.”
The malicious actors might then create victim notes, download any stolen data, and gather information for additional criminal activities.
Distributed through fake Android apps
The infection is disseminated through “NumRent,” a phoney virtual number generator used to activate social media accounts. When the software is loaded, it asks for dubious permissions, which it then exploits improperly to sideload the dangerous RatMilad payload.
Since NumRent or other trojans containing RatMilad aren’t available on the Google Play Store or other third-party stores, Telegram is the false app’s primary distribution vector.
To make the mobile remote access trojan (RAT) more believable, the RatMilad threat actors also built a specialised website to market it. Through URLs exchanged on Telegram and other social media and communication platforms, our website is promoted.
After successfully installing in a victim’s device, RatMilad hides behind a VPN connection and attempts to steal the following data:
- Basic device information (model, brand, buildID, Android version)
- Device MAC address
- Contact list
- SMS
- Call logs
- Account names and permissions
- Installed applications list and permissions
- Clipboard data
- GPS location data
- SIM information (number, country, IMEI, state)
- File list
- File contents
RatMilad may also alter the permissions of the loaded programme, conduct file activities like stealing and deleting files, and even use the device’s microphone to capture audio and listen in on conversations.
These capabilities are more than enough for gathering business data, individual information, private messages, images, videos, documents, etc.
RatMilad was found by Zimperium because the spyware failed to install on a customer’s device, and the company then examined the virus.
According to Zimperium’s assessment, “Spyware like RatMilad is designed to operate silently in the background, persistently eavesdropping on its victims without raising suspicion.”
“We presume that the RatMilad’s malicious actors obtained the code from the AppMilad group and combined it with a phoney programme to disseminate to unaware victims.”
Zimperium deduces from the data that RatMilad’s operators are using a random-target strategy rather than waging a laser-focused operation.
Over 4,700 people had seen and over 200 people had shared the spyware-distribution Telegram channel at the time of the inquiry.
Always download programmes from the Google Play Store, conduct an antivirus scan on just-downloaded APKs, and carefully study the installation permissions in order to safeguard yourself from Android spyware infections like this one.
