Researchers at the security company Zimperium Labs have discovered a new Android spyware called RatMilad, which was created by cybercriminals in the Middle East and is used to spy on and steal user data. The stolen data can be used to access private corporate systems, blackmail the victim, and for other malicious purposes.
Spyware is distributed through a fake NumRent virtual number generator. Once installed, the app asks for questionable permissions and then uses them to download the malicious RatMilad payload.
The main distribution channel for the fake app is Telegram, since NumRent or other droppers that download RatMilad are not available on the Google Play store or third-party stores.
The RatMilad operators also created a dedicated website to promote the mobile RAT Trojan to make the app look more convincing. This website is advertised on Telegram and other social networks.
Once installed on the victim's device, RatMilad steals the following data:
- Basic information about the device (model, brand, buildID, Android version);
- MAC address of the device;
- List of contacts;
- SMS;
- Call logs;
- Account names and permissions;
- List of installed applications and permissions;
- Clipboard data;
- GPS location data;
- Information about the SIM card (number, country, IMEI, region);
- List of files and their contents.
RatMilad can perform actions on files such as:
- Deletion and theft of files;
- Changing application permissions;
- Using the device's microphone to record sound.
RatMilad spyware is designed to run silently in the background without arousing suspicion. According to experts, RatMilad operators received the source code from the AppMilad Telegram channel. Zimperium researchers concluded that RatMilad operators attack random targets and do not conduct targeted campaigns.
Comments 0