New Sinister RatMilad Spyware Steals Data And Records Audio To Blackmail Android Users

ratmilad spyware steal data records audio blackmail android users news
Zimperium, a cybersecurity company that focuses on mobile devices, has published research detailing a new family of Android spyware. Dubbed “RatMilad,” this spyware seems to be targeting enterprise mobile devices located in the Middle East. However, unlike many other spyware families, such as Pegasus and Hermit, RatMilad doesn’t appear to be part of a campaign targeting specific individuals, but rather a more broad-based attack. The threat actor behind this campaign is currently unknown, but the large variety of data collected by the spyware could be used for blackmail or to gain unauthorized access to enterprise systems.

numrent website news
Website advertising and distributing malicious NumRent app (click to enlarge)

According to Zimperium’s researcher, the RatMilad spyware is distributed to victims through malicious apps advertised to provide temporary phone numbers for the purpose of verifying social media accounts. The researchers found that the original variant of RatMilad was spread by way of an app known as “Text Me.” However, the threat actor behind this campaign more recently updated the malicious app and re-branded it as “NumRent.”

The threat actor primarily promotes the NumRent app on the messaging app Telegram, but the threat actor also operates a fairly professional-looking website advertising the malicious app. While the website features a download button bearing the Google Play Store logo, the NumRent app is not available on the app store. The download button instead directs users to a page on the NumRent website where they can download the app as an APK file.

numrent app news
Malicious NumRent app that installs the RatMilad spyware (click to enlarge) (source: Zimperium)

Those who manually install this APK will find a semi-functional app that at least appears to provide the service advertised. However, when users first launch the NumRent app, it requests access to an extensive list of Android permissions. If the user grants these permissions, the app proceeds to sideload the RatMilad spyware in the background.

Once installed, RatMilad sends an initial request containing the infected device’s mac address to the threat actor’s command-and-control (C2) server to establish a connection. With this connection established, the spyware then sends additional device information, including the contacts list, SMS messages, call logs, the file directory, user account name, clipboard data, and location. RatMilad then lies in wait for any instructions from the C2 server. Using the C2 server, the threat actor can direct the spyware to exfiltrate additional information, read or write files, grant additional permissions, or record audio from the infected device’s microphones.

With this extensive tool set, any device infected by RatMilad becomes a potent spying apparatus. Anyone who has installed the Text Me or NumRent apps will likely have to perform a full factory reset to be rid of the spyware.