A new Android spyware called RatMilad has been discovered by researchers at the security company Zimperium Labs. There have been observations of this spyware targeting enterprise mobile devices in the Middle East with the purpose of spying on and stealing user data.
As a result of this intrusion, private corporate systems can be accessed, blackmailed, or other malicious uses can be made.
In this way, malicious actors may be enabled to create notes about the victim, download any materials that have been stolen, and gather information for other criminal activities.
Distribution
In order to distribute spyware, a fake NumRent virtual number generator is used. The malware downloads the malicious RatMilad payload after being installed and then requests suspicious permissions from the user.
According to the report, The fake app is primarily distributed through Telegram, which is one of the main distribution channels. The Google Play Store and other third-party stores do not currently offer NumRent or other droppers as a means of downloading RatMilad.
In order to promote the mobile RAT, RatMilad also created a dedicated website to increase the visibility of the app as well as make it seem more credible.
Several social networks such as Telegram as well as other platforms are used to advertise this website.
Capabilities of RatMilad
RatMilad spyware has the following capabilities:-
- MAC Address of Device
- Contact List
- SMS List
- Call Logs
- Account Names and Permissions
- Clipboard Data
- GPS Location Data
- MobileNumber
- Country
- IMEI
- Simstate
- File list
- Read Files
- Write Files
- Delete Files
- Sound Recording
- File upload to C&C
- List of the installed apps, along with their permissions.
- Set new app permissions.
- Model
- Brand
- buildID
- Android version
- Manufacturer
In order to make its installation as seamless as possible, RatMilad spyware runs in the background silently without attracting suspicion.
Moreover, from the AppMilad Telegram channel, the operators of the RatMilad spyware received the source code.
There were more than 4,700 views of the Telegram channel used for the distribution of the spyware and there were more than 200 external shares of the Telegram channel as well.
While security experts at Zimperium have found that RatMilad operators do not engage in targeted attack campaigns and as they only attack random targets.
You can read more android malware activities here.
Recommendations
- Always prefer the official app store (Google Play Store) to download any application.
- The first thing you should do after downloading an APK is to run an antivirus scan on it.
- The permissions requested during installation should be carefully reviewed before proceeding.
- Do not open any suspicious links.
- Make sure to avoid downloading fake or cracked versions of apps.
