Contents:
RatMilad, a new Android malware that masquerades as a VPN and phone number spoofing app, has been observed to target a Middle Eastern enterprise mobile device.
The mobile trojan acts as advanced spyware, receiving and executing commands to collect and exfiltrate a wide range of data from the infected mobile endpoint, according to a report published by Zimperium.
How Does It Spread?
The malicious app is spread via links on social media and messaging services like Telegram, tricking unknowing users into sideloading it and giving it a wide range of permissions, according to data gathered in the same report.
The malware is embedded within a bogus VPN and phone number spoofing service as the app claims to allow users to verify social media accounts via phone, a popular technique in countries where access is restricted.
Once installed and in control, the attackers could access the camera to take pictures, record video and audio, get precise GPS locations, view pictures from the device, and more.
RatMilad also has other features that allow it to collect SIM card information, clipboard data, SMS messages, call logs, contact lists, and even perform file read and write operations. It is spread by the apps Text Me and NumRent.
Who Is Behind It?
The theory put forth by Zimperium is that RatMilad’s operators obtained the source code from an Iranian hacker group called AppMilad and combined it with a fake app to trick users into downloading it.
Although the extent of the infections is unknown, the cybersecurity firm stated that it discovered the spyware during an unsuccessful attempt to compromise a customer’s enterprise device.
According to The Hacker News, with more than 200 external shares, a post shared on a Telegram channel used to spread the malware sample has received over 4,700 views, indicating a limited audience.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.