The RatMilad spyware was discovered by mobile security firm Zimperium who warned that the malware could be used for cyber espionage, extortion, or to eavesdrop on victim’s conversations.
“Similar to other mobile spyware we have seen, the data stolen from these devices could be used to access private corporate systems, blackmail a victim, and more,” warned a new report by Zimperium Labs shared with BleepingComputer before publication.
“The malicious actors could then produce notes on the victim, download any stolen materials, and gather intelligence for other nefarious practices.”
Distributed through fake Android apps
The spyware is distributed through a fake virtual number generator used for activating social media accounts called “NumRent.” When installed, the app requests risky permissions and then abuses them to sideload the malicious RatMilad payload.
The main distribution channel for the fake app is Telegram, as NumRent, or other trojans carrying RatMilad, aren’t available on the Google Play Store or third-party stores.
The RatMilad threat actors have also created a dedicated website to promote the mobile remote access trojan (RAT) to make the app appear more convincing. This website is promoted through URLs shared on Telegram or other social media and communication platforms.
After successfully installing in a victim’s device, RatMilad hides behind a VPN connection and attempts to steal the following data:
- Basic device information (model, brand, buildID, Android version)
- Device MAC address
- Contact list
- Call logs
- Account names and permissions
- Installed applications list and permissions
- Clipboard data
- GPS location data
- SIM information (number, country, IMEI, state)
- File list
- File contents
Moreover, RatMilad can perform file actions such as deleting files and stealing files, modifying the permissions of the installed app, or even using the device’s microphone to record audio and eavesdrop on the room.
These capabilities are more than enough for collecting corporate information, personal details, private communications, photos, videos, documents, etc.
Zimperium discovered RatMilad after the spyware failed to load on a customer’s device and proceeded to analyze the malware.
“Spyware such as RatMilad is designed to run silently in the background, constantly spying on its victims without raising suspicion,” explains Zimperium’s report.
“We believe the malicious actors responsible for RatMilad acquired the code from the AppMilad group and integrated it into a fake app to distribute to unsuspecting victims.”
From the evidence, Zimperium concludes that the operators of RatMilad are following a random-target approach instead of running a laser-focused campaign.
At the time of the investigation, the Telegram channel used for distributing the spyware was viewed over 4,700 times and counted over 200 external shares.
To protect yourself from Android spyware infections like this one, always avoid downloading apps outside the Google Play Store, run an AV scan on newly downloaded APKs, and carefully review the requested permissions during installation.