Jump to content
  • New Android malware 'RatMilad' can steal your data, record audio

    alf9872000

    • 316 views
    • 3 minutes
     Share


    • 316 views
    • 3 minutes

    A new Android spyware named 'RatMilad' was discovered targeting mobile devices in the Middle East, used to spy on victims and steal data.

     

    The RatMilad spyware was discovered by mobile security firm Zimperium who warned that the malware could be used for cyber espionage, extortion, or to eavesdrop on victim's conversations.

     

    "Similar to other mobile spyware we have seen, the data stolen from these devices could be used to access private corporate systems, blackmail a victim, and more," warned a new report by Zimperium Labs shared with BleepingComputer before publication.

     

    "The malicious actors could then produce notes on the victim, download any stolen materials, and gather intelligence for other nefarious practices."

    Distributed through fake Android apps

    The spyware is distributed through a fake virtual number generator used for activating social media accounts called "NumRent." When installed, the app requests risky permissions and then abuses them to sideload the malicious RatMilad payload.

     

    numrent-app.png

    The NumRent app that sideloads RatMilad (Zimperium)

     

    The main distribution channel for the fake app is Telegram, as NumRent, or other trojans carrying RatMilad, aren’t available on the Google Play Store or third-party stores.

     

    The RatMilad threat actors have also created a dedicated website to promote the mobile remote access trojan (RAT) to make the app appear more convincing. This website is promoted through URLs shared on Telegram or other social media and communication platforms.

     

    Website promoting NumRent

    Website promoting NumRent (Zimperium)

     

    After successfully installing in a victim’s device, RatMilad hides behind a VPN connection and attempts to steal the following data:

    • Basic device information (model, brand, buildID, Android version)
    • Device MAC address
    • Contact list
    • SMS
    • Call logs
    • Account names and permissions
    • Installed applications list and permissions
    • Clipboard data
    • GPS location data
    • SIM information (number, country, IMEI, state)
    • File list
    • File contents

     

    Moreover, RatMilad can perform file actions such as deleting files and stealing files, modifying the permissions of the installed app, or even using the device's microphone to record audio and eavesdrop on the room.

     

    sound-recorder-function.png

    The sound recording function (Zimperium)

     

    These capabilities are more than enough for collecting corporate information, personal details, private communications, photos, videos, documents, etc.

     

    Zimperium discovered RatMilad after the spyware failed to load on a customer’s device and proceeded to analyze the malware.

     

    "Spyware such as RatMilad is designed to run silently in the background, constantly spying on its victims without raising suspicion," explains Zimperium’s report.

     

    "We believe the malicious actors responsible for RatMilad acquired the code from the AppMilad group and integrated it into a fake app to distribute to unsuspecting victims."

     

    From the evidence, Zimperium concludes that the operators of RatMilad are following a random-target approach instead of running a laser-focused campaign.

     

    At the time of the investigation, the Telegram channel used for distributing the spyware was viewed over 4,700 times and counted over 200 external shares.

     

    To protect yourself from Android spyware infections like this one, always avoid downloading apps outside the Google Play Store, run an AV scan on newly downloaded APKs, and carefully review the requested permissions during installation.

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...