‘RatMilad’ A New Arrival Android Malware Can Record Audio, Steal Data & Spy On You.

by | Mar 7, 2024

Mobile spyware has evolved over the past several years from being a crucial tool for covert intelligence collection and government agencies to a menace that anybody may use to attack anyone. The entrance barrier for spyware is lowering as more and more smaller spyware firms emerge, employing well-established distribution mechanisms to distribute new and updated code as well as malware as a service over the dark web. The Zimperium zLabs research team recently identified malware aimed at Middle Eastern corporate mobile devices and started keeping an eye on a unique family of Android spyware that we have since termed RatMilad.

A new Android spyware family that targets company mobile devices in the Middle East was described in a blog post released on Wednesday by Zimperium, the mobile security platform designed specifically for businesses.

An Android Remote Access Trojan (RAT) with spyware capabilities , RatMilad specifically targets users in the Middle East. It is well known that NumRent, a VPN and phone number spoofing tool, is used to spread this infection. RatMilad was previously concealed by the Text Me app.

The Text Me app has been rebranded and aesthetically altered to become NumRent. Threat actors are able to gather private information and carry out other notorious tasks. The malware, known as “RatMilad,” may access and steal data, record private audio conversations, spy on victims, and change programme permissions on victims’ devices while disguising itself as a VPN and phone number spoofing tool.

The app’s stated purpose is to allow users to verify social media accounts using their phones, a frequent practise among users of social media in nations where access to the site may be limited or who may desire a second, verified account.The researchers found the RatMilad malware family disseminated through “NumRent,” a rebranded and visually improved variant of the Text Me phone number spoofing program.

By utilising links on social media and messaging applications like Telegram, the phone spoofing software tricks users into sideloading the bogus toolkit and granting essential privileges on the device while simultaneously installing the dangerous malware.

NumRent asks for authorization so that it may access contacts, call logs (and place phone calls), SMS messages (and send them), track the position of the device, and see media and files. After users provide authorization to the aforementioned services, RatMilad is installed. With RatMilad, you can access the camera to snap images, record video and audio, get GPS coordinates, browse photos that have already been taken and saved on the infected device, and more. The MAC address of the device, the contact list, the call records, the account names and permissions, the clipboard data, the location data, the IMEI, the mobile number, and other data can all be exfiltrated by this virus.

It is significant to note that it has access to all SMS messages, including those that have been sent, failed, queued, and drafted. RatMilad can also capture sound, upload files to a command and control server, read, write, and delete files, as well as create new application permissions and delete rights.

Once activated, the RatMilad spyware acts as a sophisticated Remote Access Trojan (RAT) with spyware capabilities that may be instructed to gather and exfiltrate a variety of data from the compromised mobile device and carry out a number of destructive tasks, including:

  • Device MAC Address
  • Phone’s Contact List
  • SMS Messages and History
  • Phone Call Logs
  • Account Names and Permissions
  • Data Found In The Clipboard
  • GPS Location Data
  • Sim Card Details – MobileNumber , Country , IMEI , Simstate
  • File list
  • Read, Write, Modify And Delete Files
  • Recording Sound
  • File upload to Command And Control Center
  • Installed Applications List , Along With Their Permissions
  • Set Rogue Permissions For New Application
  • Information About Phone – Model, Brand, BuildID, Android Version, Manufacturer

RatMilad executes a variety of requests to the command-and-control (C&C) server based on certain jobID and requestType, according to researchers, and then lives and waits forever for tasks to execute on the device.

Ironically, researchers only became aware of RatMilad after an unsuccessful attempt to install it on a customer’s workplace equipment prompted them to look into the virus. Spyware like RatMilad is made to operate covertly in the background while continually spying on its targets without drawing attention to itself.

How This Spyware Gets To You:

Zimperium determined that the Telegram channel used to disseminate the malware had been watched more than 4,700 times and had received more than 200 external shares throughout the research into the threat and dissemination techniques. Links on social media and messaging apps like WhatsApp and Telegram are major source for spreading this Spyware.

Damage This Spyware Could Cause:

Stolen personal information (private messages, logins/passwords, etc.), decreased device performance, deleted files, battery is drained quickly, decreased Internet speed, huge data losses, monetary losses, stolen identity.

How This Malware Could Be Removed on Android:

To eliminate malware infections security researchers recommend scanning your Android device with legitimate anti-malware software application such as Avast, Bitdefender, ESET or Malwarebytes.