Heimdal
article featured image

Contents:

RatMilad, a new Android malware that masquerades as a VPN and phone number spoofing app, has been observed to target a Middle Eastern enterprise mobile device.

The mobile trojan acts as advanced spyware, receiving and executing commands to collect and exfiltrate a wide range of data from the infected mobile endpoint, according to a report published by Zimperium.

How Does It Spread?

The malicious app is spread via links on social media and messaging services like Telegram, tricking unknowing users into sideloading it and giving it a wide range of permissions, according to data gathered in the same report.

The malware is embedded within a bogus VPN and phone number spoofing service as the app claims to allow users to verify social media accounts via phone, a popular technique in countries where access is restricted.

Once installed and in control, the attackers could access the camera to take pictures, record video and audio, get precise GPS locations, view pictures from the device, and more.

Source

RatMilad also has other features that allow it to collect SIM card information, clipboard data, SMS messages, call logs, contact lists, and even perform file read and write operations. It is spread by the apps Text Me and NumRent.

Source

Who Is Behind It?

The theory put forth by Zimperium is that RatMilad’s operators obtained the source code from an Iranian hacker group called AppMilad and combined it with a fake app to trick users into downloading it.

Although the extent of the infections is unknown, the cybersecurity firm stated that it discovered the spyware during an unsuccessful attempt to compromise a customer’s enterprise device.

According to The Hacker News, with more than 200 external shares, a post shared on a Telegram channel used to spread the malware sample has received over 4,700 views, indicating a limited audience.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Madalina Popovici

Digital PR Specialist

linkedin icon

Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE