Securing data privacy has become a daunting task for enterprise Android Users in the Middle East as threat actors found a new way to steal sensitive data. Hackers have created a new Android spyware named RatMilad that was found targeting mobile devices for Middle Eastern enterprises.

Run silently in the background

According to Zimperium Labs researchers, the malicious actors responsible for RatMilad stole the code from the AppMilad group and integrated it into a fake app to distribute to unsuspecting victims.
  • The spyware was seen hiding behind and distributed through NumRent, a renamed and graphically updated version of Text Me (a phone number spoofing app).
  • The RatMilad spyware was not available on Google Play Store or third-party stores; instead, attackers used Telegram to distribute and encourage the sideloading of the fake app through social engineering.
  • The threat actors developed a dedicated website to advertise and promote the mobile RAT to make the app appear more convincing and legitimate.

Additionally, the Telegram channel used for distributing the spyware has been viewed over 4,700 times with 200+ external shares.

Prowling up sensitive data 

Although the RatMilad campaign is no longer active, its operators were observed following a random-target approach instead of running a focused campaign.

The mobile application was functioning with advanced RAT capabilities from accessing, collecting, and exfiltrating a wide variety of data to controlling cameras to take pictures, record video, and audio, get precise GPS locations, and view pictures from compromised devices.

Wrapping up

Although RatMilad was not a coordinated campaign against singular targets, it represented a broader operation. The malicious actors using RatMilad spyware have potentially gathered significant amounts of personal and corporate information on their victims, including private communications and photos. To stay protected, users are suggested to avoid downloading applications outside the Google Play Store, run an antivirus scan on newly downloaded APKs, and carefully review the requested permissions during installation.
Cyware Publisher