Researchers at Zimperium Labs have discovered a new Android malware called RatMilad, which is used to spy on victims and steal data.
Zimperium Labs warned that the malware could be used for cyber espionage, extortion or wiretapping. RatMilad currently only targets mobile devices in the Middle East.
“Data stolen from these devices can be used to access private corporate systems, blackmail the victim and more,” warns a new report from Zimperium Labs.
This spyware is distributed through a fake virtual phone number generator called NumRent that can allegedly be used to activate social network profiles. Once installed, the app asks for risky permissions and then abuses them to load RatMilad.
The main distribution channel of the fake app is Telegram, as NumRent is not available on Google Play Store or other stores.
The researchers also noticed a dedicated website advertising the NumRent app. This website is promoted through links shared on Telegram or other social networks and communication platforms.
Once installed on the victim’s device, RatMilad tries to steal basic device information (model, manufacturer, Android version), device MAC address, contact list, SMS messages, call logs, profile names, list of installed applications along with their permissions, clipboard data, GPS location data, SIM card information (number, country, IMEI), file list and file contents. In addition to stealing them, RatMilad can also delete files, change installed application permissions, and use the device’s microphone to record audio and eavesdrop. These capabilities are more than enough to collect corporate information, personal data, private communications, photos, videos, documents, etc.
Zimperium discovered RatMilad after the malware failed to load on their customer’s device.
“Spyware like RatMilad is designed to run silently in the background, constantly spying on victims without arousing suspicion,” the report said. “We believe that the malicious actors responsible for RatMilad took code from the AppMilad group and integrated it into the rogue application.”
From there, they believe that the victims are random targets and that this is not a targeted campaign.
At the time of the investigation, the Telegram channel used to distribute the spyware had been viewed more than 4,700 times and had over 200 external shares.
To protect yourself from such malicious software, avoid downloading apps from outside the Google Play Store, scan with your antivirus, and carefully review the permissions requested during installation.