An Iranian hacking group is using new Android spyware in an extensive campaign primarily targeting enterprise users, mobile security firm Zimperium has revealed.

The group involved in this campaign goes by the name of “AppMilad” while the spyware being used is dubbed “RatMilad.” It can perform a wide range of malicious actions after it is installed on a victim’s device including functionalities like file manipulation, audio recording, and application permission modification.

Spyware Detailed Analysis

According to Zimperium’s research, threat actors at AppMilad have devised the campaign to get the malicious app sideloaded onto unsuspecting users’ devices. Zimperium examined a spyware sample using the VPN and phone number spoofing app, which was identified as Text Me.

Another live RatMilad sample was distributed through a Text Me variant called NumRent. Moreover, scammers have developed a product website to distribute the app and socially engineer targets to believe that it is a legit app.

[embedded content]

RatMilad Capabilities

Since it can cleverly obtain a broad range of permissions, the spyware is capable of accessing crucial device data, such as location and MAC address, and user data, including phone calls, contact numbers, media files, and SMS messages.

Additionally, attackers can access the camera and microphone of the device, which lets them record audio/video and capture photos. Other features include collecting clipboard data, SIM information, and performing read/write operations.

Potential Targets and Modus Operandi

The malware’s target is a Middle Eastern enterprise mobile device that is disguised as a VPN and phone number spoofing application. After the app is installed and the required permissions are granted, the spyware is quickly sideloaded on the devices and soon starts collecting information.

RatMilad functions as advanced mobile spyware capable of receiving/executing commands for the exfiltration of a versatile array of data from the compromised mobile endpoint. The app is distributed via social media links and communication platforms such as Telegram.

Iranian Hackers Spreading RatMilad Android Spyware Disguised as VPN App
The malicious app being advertised on Telegram (I) – The website run by threat actors to push RatMilad download (II)

Zimperium explained that the Telegram channel was used to distribute the malware, with the post linking to the Android app boasting more than 4,700 views. It was shared over 200 times, but this isn’t a conclusive number. It tricks users into sideloading the app and allowing it wide-ranged permissions.

“The RatMilad spyware and the Iranian-based hacker group AppMilad represent a changing environment impacting mobile device security.”

Richard Melick, Zimperium director of mobile threat intelligence

More Iranian Threat Actor News

  1. Iranian hackers leak trove of Israeli LGBTQ dating app data
  2. Iranian hackers hit Israel with disk wiper in disguise of ransomware
  3. Iranian hackers use RDP to hit businesses with Dharma ransomware
  4. Exposed: 6 year old Iranian espionage attack using Android backdoor
  5. Microsoft seizes 99 sites used by Iranian hackers for phishing attacks

Posted by Charlie