Earlier this week, threat analysts at mobile security firm Zimperium Inc. zLabs detailed a newly unearthed form of Android spyware leveraged to target enterprise devices in the Middle East.
Dubbed “RatMilad,” the original version of the spyware was identified as concealing behind a VPN and phone number spoofing app called Text Me. After discovering the spyware, the researchers also spotted a live sample of the malware family distributed through NumRent, an updated version of Text Me.
According to Zimperium, an Iran-based hacker group named AppMilad is distributing the phone spoofing app via links on social media and communication tools like Telegram, luring unsuspecting users into sideloading the app and granting it extensive permissions. Moreover, fraudsters have designed a product website to distribute the app and trick users into believing that it is an authentic app.
Since the malicious app can trick users into obtaining a broad range of permissions, it can gain access to sensitive device data, such as location and MAC address, and user data, including phone calls, contact numbers, media files, and SMS messages.
"Once installed and in control, the attackers could access the camera to take pictures, record video, and audio, get precise GPS locations, view pictures from the device, and more," Zimperium researcher Nipun Gupta stated.
Additionally, the hackers can access the camera and microphone of the device, which allows them to record audio/video and capture photos. Other features include collecting clipboard data, SIM information, and performing read/write activities.
The scale of the infections is unknown, but the cybersecurity firm said it identified the spyware during a failed compromise attempt of a user's enterprise device. A post published on a Telegram channel employed to distribute the malware sample has been viewed over 4,700 times with more than 200 external shares, indicating a limited range.
"The RatMilad spyware and the Iranian-based hacker group AppMilad represent a changing environment impacting mobile device security," Richard Melick, director of mobile threat intelligence at Zimperium, explained. From Pegasus to PhoneSpy, there is a growing mobile spyware market available through legitimate and illegitimate sources, and RatMilad is just one in the mix."
Prevention tips
The easiest method to avoid falling victim to fake Android apps employed to propagate spyware and malware is to download new apps from official app stores like the Google Play Store, the Amazon Appstore, and the Samsung Galaxy Store.
Additionally, the users are recommended to scan the app that is sideloaded onto a device and increase the mobile attack surface leaving data and users at risk.
