An Iranian hacking group is using new Android spyware in an extensive campaign primarily targeting enterprise users, mobile security firm Zimperium has revealed.
The group involved in this campaign goes by the name of “AppMilad” while the spyware being used is dubbed “RatMilad.” It can perform a wide range of malicious actions after it is installed on a victim’s device including functionalities like file manipulation, audio recording, and application permission modification.
Spyware Detailed Analysis.
According to Zimperium’s research, threat actors at AppMilad have devised the campaign to get the malicious app sideloaded onto unsuspecting users’ devices. Zimperium examined a spyware sample using the VPN and phone number spoofing app, which was identified as Text Me.
Another live RatMilad sample was distributed through a Text Me variant called NumRent. Moreover, scammers have developed a product website to distribute the app and socially engineer targets to believe that it is a legit app.
RatMilad Capabilities.
Since it can cleverly obtain a broad range of permissions, the spyware is capable of accessing crucial device data, such as location and MAC address, and user data, including phone calls, contact numbers, media files, and SMS messages.
Additionally, attackers can access the camera and microphone of the device, which lets them record audio/video and capture photos. Other features include collecting clipboard data, SIM information, and performing read/write operations.
Potential Targets and Modus Operandi.
The malware’s target is a Middle Eastern enterprise mobile device that is disguised as a VPN and phone number spoofing application. After the app is installed and the required permissions are granted, the spyware is quickly sideloaded on the devices and soon starts collecting information.
RatMilad functions as advanced mobile spyware capable of receiving/executing commands for the exfiltration of a versatile array of data from the compromised mobile endpoint. The app is distributed via social media links and communication platforms such as Telegram.
Zimperium explained that the Telegram channel was used to distribute the malware, with the post linking to the Android app boasting more than 4,700 views. It was shared over 200 times, but this isn’t a conclusive number. It tricks users into sideloading the app and allowing it wide-ranged permissions.