The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

RatMilad Android Spyware

Oct 17, 2022 11:17:37 AM / by PolySwarm Tech Team

Copy of Borat RAT_Twitter

Executive Summary

Zimperium recently reported on RatMilad, spyware targeting Android devices.

Key Takeaways

  • RatMilad is Android spyware disguised as a mobile number spoofing app.
  • It is typically advertised via WhatsApp or Telegram. 
  • RatMilad is an advanced RAT with spyware capabilities, giving threat actors almost full control over a victim’s device.
What is RatMilad?

RatMilad is Android spyware. Targets seem to be limited to Middle Eastern countries. Aside from regional targeting, the campaign seems to have a broad target base and does not seem to target particular individuals. The original RatMilad variant disguised itself as an app called Text Me, which was advertised as a VPN with phone number spoofing capabilities. Text Me was offered as a way to verify social media accounts through phone, especially in countries where social media access may be restricted.

New RatMilad variants hide in NumRent, an updated version of Text Me. The app is not in the Android App Store but is distributed through social media links and communication tools, such as WhatsApp and Telegram. The threat actors have created a website for the fake app and use social engineering to spread the app. Victims are tricked into sideloading the fake toolset and giving the threat actors significant phone permissions. This allows the threat actor to collect information from and control the mobile device.

RatMilad functions as an advanced RAT with spyware capabilities. It allows threat actors to access and/or interact with multiple things, including the following:
  • Device MAC address
  • Contact list
  • SMS list
  • Call logs
  • Account names and permissions
  • Clipboard data
  • Location data
  • SIM information
  • File list
  • Manipulating and deleting files
  • Sound recording
  • Uploading files to the C2
  • Listing installed applications and their permissions
  • Setting application permissions
  • Phone build info
Industry researchers note the threat actors behind RatMilad may have acquired code from, or have affiliation with, the Iranian threat actor group AppMilad.


PolySwarm has multiple samples of RatMilad.









You can use the following CLI command to search for all RatMilad samples in our portal:

$ polyswarm link list -f RatMilad

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports


Topics: Threat Bulletin, Android, Spyware, RatMilad

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts