Once the unwitting victims accept the permissions, they’re in big trouble. Malicious actors now have access to the user’s camera to take pictures, and record video and audio. On the plus side, the research team did not find RatMilad on any Android app store, but it is distributed on social media platforms where hackers encourage targets to sideload the fake app onto their phones.
What is RatMilad?
RatMilad is an Android threat that functions as an advanced Remote Access Trojan (RAT) with spyware capabilities, allowing attackers to execute commands to gather a wide variety of sensitive data from victims. RatMilad, according to the Zimperium zLabs research team, can perform the following malicious actions:
Sound and video recordingSnag MAC address of deviceGet SMS list and call logsView GPS location and clipboard dataGet SIM info, including mobile number, country, IMEI, etc.Read, write, delete filesUpload files to malicious actor’s command-and-control serverSee list of installed apps and set new permissions for themPhone info, including model, brand, build ID, Android version and manufacturer
The Zimperium zLabs research team originally found the spyware targeting Middle Eastern enterprise mobile devices. As such, it began monitoring the activity of the new Android spyware, and consequently, the team named it RatMilad. “The original variant of RatMilad hid behind a VPN and phone number spoofing app called Text Me with the premise of enabling a user to verify a social media account through a phone,” the Zimperium report said. Phone-number spoofing apps are popular in countries where access to social media is restricted. The apps can also be used by users who want a second verified social media account. During its investigation, the zLabs team recently discovered a sample of RatMilad hiding behind an app called NumRent, an updated version of Text Me. The data collected from RatMilad can be used to blackmail victims, produce notes on the targets, download stolen materials, and gather intelligence from quarries for nefarious reasons.
How to avoid RatMilad
As mentioned at the outset, fortunately, the Zimperium research team did not find RatMilad in the Google Play Store or any other Android app store, but the spyware, disguised as a number-spoofing app, is often distributed via links on social media as well as communication apps like Telegram and WhatsApp. To convince users the app is real, the malicious actors rolled out a product website that advertised the RatMilad-infested app NumRent. After it’s installed, the fake app requests permissions that dangerously give it access to various device settings while it downloads malicious code. Zimperium isn’t sure how many people RatMilad has infected, but in one of its observations, the team witnessed a malicious actor use a Telegram channel to distribute the sample. “The post had been viewed over 4,700 times with 200+ external shares.” RatMilad should be easy to dodge; just stay away from suspicious social media links urging you to sideload a strange app onto your phone. Chances are high that the app isn’t what it seems. Keep in mind that RatMilad is designed to “run silently in the background,” Zimperium said, so even if you have it installed on your Android device, there’s a chance you won’t even know it because it’s presence does not raise suspicion.