Zimperium, the mobile security platform purpose-built for enterprise, on Wednesday published a blog post describing a new Android spyware family targeting enterprise mobile devices in the Middle East.
Dubbed as ‘RatMilad’, the spyware which is hiding itself as a VPN (Virtual Private Network) and phone number spoofing app can access and steal data, record private audio conversations, spy on victims, and modify application permissions on victims’ devices.
The app’s function is supposedly to enable a user to verify a social media account through a phone, a common technique used by social media users in countries where access might be restricted, or that might want a second, verified account.
The researchers discovered the RatMilad malware family hiding behind and distributed through “NumRent”, a renamed and graphically updated version of a phone number spoofing app called Text Me.
The phone spoofing app is distributed through links on social media and communication tools like Telegram, tricking victims to sideload the fake toolset and allow important permissions on the device while also installing the malicious code itself.
As we can see in the demo installation video above, once installed the user is asked to allow nearly complete access to the device, with requests to view contacts, phone call logs, device location, media, and files, as well as send and view SMS messages and phone calls.
“The RatMilad spyware has not been found in any Android app store. Evidence shows the attackers used Telegram to distribute and encourage the sideloading of the fake app through social engineering,” Zimperium researcher Nipun Gupta wrote in the blog post.
“Once installed and in control, the attackers could access the camera to take pictures, record video, and audio, get precise GPS locations, view pictures from the device, and more.”
Once implemented, the novel RatMilad spyware accesses as an advanced Remote Access Trojan (RAT) with spyware capabilities that receives and executes commands to collect and exfiltrate a wide range of data from the infected mobile endpoint and perform several malicious actions, such as:
- MAC Address of Device
- Contact List
- SMS List
- Call Logs
- Account Names and Permissions
- Clipboard Data
- GPS Location Data
- Sim Information – MobileNumber , Country , IMEI , Simstate
- File list
- Read, Write, Delete Files
- Sound Recording
- File upload to C&C
- List of the installed applications, along with their permissions
- Set new application permissions
- Phone info – Model, Brand, buildID, android version, Manufacturer
Just like other mobile spyware, the data stolen from these devices could be used to access private corporate systems, blackmail a victim, and more. Then, the malicious actors could make notes on the victim, download any materials that are stolen, and collect intelligence for other infamous activities.
From an operational viewpoint, RatMilad performs various requests to the command-and-control (C&C) server based on certain jobID and requestType, and then the app dwells and lies in wait indefinitely for tasks to execute on the device, researchers said.
Ironically, researchers initially detected RatMilad during a failed loading attempt on a customer’s enterprise device and proceeded to investigate the malware. Spyware such as RatMilad is designed to run silently in the background, continuously spying on its victims without raising suspicion.
Zimperium theorized that the operators responsible for RatMilad acquired the code from the AppMilad group and included it in a fake app to distribute to unsuspicious victims.
During the investigation into the threat and distribution methods, Zimperium discovered that the Telegram channel that was used to distribute the spyware had been viewed over 4,700 times with over 200 external shares.
At the time when Zimperium published its blog post, this particular instance of the RatMilad campaign was no longer active but there could be other Telegram channels. Thankfully, the researchers have not found any evidence of RatMilad on the official Google Play app store until now.