According to Zimperium, RatMilad is an advanced Remote Access Trojan (RAT). The spyware can steal data from a phone, execute remote commands, and do much more, like take a picture or video of the user and create audio recordings. The zLabs team said it is unlikely the spyware was designed to target a specific person. Instead, it is most likely used for a broader spyware campaign. Victims of the RatMilad spyware are unlikely to know their phones have been commandeered, as it functions “silently in the background.” “Similar to other mobile spyware we have seen, the data stolen from these devices could be used to access private corporate systems, blackmail a victim, and more,” Nipun Gupta, author of zLab’s blog post, wrote. “The malicious actors could then produce notes on the victim, download any stolen materials, and gather intelligence for other nefarious practices.”
Spyware in Virtual Phone Number App
Zimperium’s zLabs researchers encountered the RatMilad spyware after it infected a device that uses the company’s mobile threat defense solution. During their investigations, they found an older version of RatMalid distributed through a mobile virtual phone number app called TextMe. The latest iteration of the spyware is being spread through another app called NumRent, which is “a renamed and graphically updated version of TextMe.” The zLabs team believes that the threat actors behind RatMilad got the code from its creators, the Iran-based hacker group AppMilad, and integrated it into their NumRent app to snare unsuspecting victims. In countries where access to social media is restricted, people rely on virtual phone number apps to verify their social media accounts, text and make calls. Interestingly, the malicious app is unavailable on the official Google Play Store. Instead, the hackers use Telegram to distribute links to sideload the fake app. The researchers found a post on a Telegram channel used to promote the phony app that had been viewed 4700 times and shared more than 200 times. “Evidence shows the attackers used Telegram to distribute and encourage the sideloading of the fake app through social engineering,” Gupta said. When users install NumRent, the apps request access to view their contacts, phone logs, device location, files, and media storage. Users are also asked to grant the app permission to view and send SMS texts and phone calls. While this happens, the app installs the spyware in the background.
What Is RatMilad Capable of?
Infecting a device with RatMilad gives the threat actors wide-ranging capabilities. The threat actors can execute remote commands to collect and exfiltrate data. This includes the device SMS list, call logs, account names and permissions, clipboard data, GPS location data, SIM information, MAC address of the device, and phone information. Furthermore, the threat actors can read, write, and delete files, use the device to record audio at will, and set new application permissions. “For any device that has been compromised by spyware, the malicious actors behind RatMalid have potentially gathered significant amounts of personal and corporate information on their victims, including private communications and photos,” Gupta said. Cybercriminals can use this information to commit defraud or blackmail companies. Worried there’s spyware on your phone, or are you interested in learning how to avoid falling victim to spyware? Check out our detailed article on mobile spyware.