Android Spyware 'RatMilad' Targets Enterprise Devices in Iran

Written by

A newly discovered Android spyware family dubbed 'RatMilad' has been observed trying to infect an enterprise device in the Middle East.

The discovery comes from security researchers at Zimperium, who said the original variant of the previously unknown RatMilad spyware hid behind a VPN and phone number spoofing app called Text Me.

After identifying the RatMilad spyware, the Zimperium team also uncovered a live sample of the malware family distributed through NumRent, a graphically updated version of Text Me.

Additionally, the malicious actors reportedly developed a product website advertising the app to socially engineer victims into believing it was legitimate.

From a technical standpoint, the RatMilad spyware is installed by sideloading after a user enables the app to access multiple services. This allows the malicious actors to collect and control aspects of the mobile endpoint.

In particular, following installation, the user is asked to allow access to contacts, phone call logs, device location, media and files, alongside the ability to send and view SMS messages and phone calls. 

Consequently, a successful attack will result in threat actors accessing the camera to take pictures, record video and audio, get precise GPS locations and more.

“Though this is not like other widespread attacks we have seen in the news, the RatMilad spyware and the Iranian–based hacker group AppMilad represent a changing environment impacting mobile device security,” explained Richard Melick, director of mobile threat intelligence at Zimperium.

According to the executive, a growing mobile spyware market is available through legitimate and illegitimate sources, including tools like Pegasus and PhoneSpy

“RatMilad is just one in the mix,” Melick added. “The group behind this spyware attack has potentially gathered critical and private data from mobile devices outside the protection of Zimperium, leaving individuals and enterprises at risk.”

The discovery comes months after Zimperium published its 2022 Global Mobile Threat Report, which suggested a 466% increase in zero–day attacks against mobile devices.

What’s hot on Infosecurity Magazine?