zLabs researchers at mobile security firm Zimperium Inc. today detailed a newly discovered form of Android spyware that is being used to target corporate devices in the Middle East.
Dubbed “RatMilad”, the original spyware variant was found hidden behind a virtual private network and phone number spoofing application called Text Me. After identifying the RatMilad spyware, the zLabs team also discovered a live sample of the malware family hidden behind and distributed via NumRent, a renamed and graphically updated version of Text Me.
While digging into the spyware, the researchers found evidence that linked RatMiland to the Iranian hacker group AppMilad. The links to the Iranian hacking group were discovered through links on social media and communication tools including Telegram used to distribute and encourage users to download the fake toolset and activate important permissions on their device. The malicious actors were also found to have developed a product website advertising the app to “social engineer” victims into believing it was legitimate.
When a user allows Text Me or NumRent to access multiple services, RatMilad spyware is sideloaded, allowing the malicious actor to collect and control aspects of the mobile device.
The user is prompted to allow near-full access to the device, with requests to view contacts, phone call logs, device location, media, and files, as well as the sending and viewing SMS messages and phone calls. Once installed and in control, those behind AppMilad can access a phone’s camera to take photos, record video and audio, get GPS locations and more.
“Although it’s not like other widespread attacks we’ve seen in the media,” explained Richard Melick, director of mobile threat intelligence at Zimperium. “The RatMilad spyware and Iran-based hacker group AppMilad represent a changing environment that impacts mobile device security. From Pegasus to PhoneSpy, there is a growing market for mobile spyware available through both legitimate and illegitimate sources and RatMilad is just one of them.
Melick added that the group behind this spyware attack potentially harvested critical and private data from mobile devices, putting individuals and businesses at risk.
To ensure Android users are protected against RatMilad, researchers recommend a quick risk assessment and administrators reviewing which apps are loaded on a device that could increase the mobile attack surface, leaving data and users at risk.
Show your support for our mission by joining our Cube Club and our Cube Event community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies Founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many other luminaries and experts.