Executive Summary
Zimperium recently reported on RatMilad, spyware targeting Android devices.
Key Takeaways
- RatMilad is Android spyware disguised as a mobile number spoofing app.
- It is typically advertised via WhatsApp or Telegram.
- RatMilad is an advanced RAT with spyware capabilities, giving threat actors almost full control over a victim’s device.
What is RatMilad?
RatMilad is Android spyware. Targets seem to be limited to Middle Eastern countries. Aside from regional targeting, the campaign seems to have a broad target base and does not seem to target particular individuals. The original RatMilad variant disguised itself as an app called Text Me, which was advertised as a VPN with phone number spoofing capabilities. Text Me was offered as a way to verify social media accounts through phone, especially in countries where social media access may be restricted.
New RatMilad variants hide in NumRent, an updated version of Text Me. The app is not in the Android App Store but is distributed through social media links and communication tools, such as WhatsApp and Telegram. The threat actors have created a website for the fake app and use social engineering to spread the app. Victims are tricked into sideloading the fake toolset and giving the threat actors significant phone permissions. This allows the threat actor to collect information from and control the mobile device.
RatMilad functions as an advanced RAT with spyware capabilities. It allows threat actors to access and/or interact with multiple things, including the following:
- Device MAC address
- Contact list
- SMS list
- Call logs
- Account names and permissions
- Clipboard data
- Location data
- SIM information
- File list
- Manipulating and deleting files
- Sound recording
- Uploading files to the C2
- Listing installed applications and their permissions
- Setting application permissions
- Phone build info
Industry researchers note the threat actors behind RatMilad may have acquired code from, or have affiliation with, the Iranian threat actor group AppMilad.
IOCs
PolySwarm has multiple samples of RatMilad.
0d0dcc0e2eebf07b902a58665155bd9b035d6b91584bd3cc435f11beca264b1e
12f723a19b490d079bea75b72add2a39bb1da07d0f4a24bc30313fc53d6c6e42
30e5a03da52feff4500c8676776258b98e24b6253bc13fd402f9289ccef27aa8
31dace8ecb943daa77d71f9a6719cb8008dd4f3026706fb44fab67815546e032
3da3d632d5d5dde62b8ca3f6665ab05aadbb4d752a3e6ef8e9fc29e280c5eb07
73d04d7906706f90fb81676d4f023fbac75b0047897b289f2eb34f7640ed1e7f
bae6312b00de73eb7a314fc33410a4d59515d56640842c0114bd1a2d2519e387
c195a9d3e42246242a80250b21beb7aa68c270f7b2c97a9c93b17fbb90fd8194
You can use the following CLI command to search for all RatMilad samples in our portal:
$ polyswarm link list -f RatMilad
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports