New Android malware can steal data, record conversations, spy on people

RatMilad Android spyware targets enterprises with spying capabilities

Infection RatMilad follows ransom-target approach and spreads on corporate devices

A new Android malware named RatMilad can spy on mobile devices and is not mainly targeting enterprises in the Middle East. It is used to spy on victims and steal various data from machines.^[1] The infection was discovered by mobile security firm Zimperium which warns people about the possibility that this threat can be used for cyber espionage,^[2] extortion, or to eavesdrop on victims' conversations since the malware can record audio using the hijacked device.^[3]

The spyware analysis was successful when the malware failed to load on the device, and the research team from Zimperium could analyze the infection:

The phone spoofing app is distributed through links on social media and communication tools, encouraging them to sideload the fake toolset and enable significant permissions on the device.

Since the threat mainly targets enterprises, it can create major issues because data obtained from the targeted machines can be used to access private corporate systems, blackmail people further, and launch other campaigns. Malicious actors operating the infection could produce notes to victims, download stolen materials, and gather additional data for other nefarious campaigns in the future.

Malware spread using fake applications

This spyware was discovered using the distribution of threats where a fake virtual number generator used for activating social media accounts triggered the malicious payload drop. Once installed, the NumRent application triggers the request for risky permissions, and then the RatMilad malware can be installed on the machine.

The malware can hide behind the VPN connection apps too. The main channel these spyware-filled fake apps get distributed is Telegram. Trojans also carried the RatMilad via Google Play Store and third-party stores, which are known to be common methods for Android malware distribution.^[4]

A particular promotional website was also developed to push the mobile remote access trojan and make the installation of these apps more convincing.^[5] These promotional websites were also promoted via IRLs shared on Telegram channels, other social media, and platforms for communication. The investigation uncovered that these channels were viewed almost 5000 times and many of the links received 200 external shares.

Malware creators rely on fake malicious programs that are common and popular, so people do not pay attention to details about the source of the application. This also includes the application that hackers use to promote their services. Fake Telegram application has been pushed for Android users with malicious code that leads to spying on people via an additionally installed surveillance app.

Targeted data: valuable and easily accessible

The successful infection allows RatMilad operators to access and gather data like basic details on the machine, contact lists or SMS messages, and call logs. However, account names and permissions, file lists, file contents, SIM information, or installed apps and permissions can be more valuable and used later on in other cybersecurity incidents.

The threat also can trigger actions with files on the machine. This virus can delete files, steal them, modify permissions of the installed applications and even use the microphone on the device to record audio and eavesdrop on the room the affected device is in.

These functions allow the malware to collect various data on corporate entities and personal details about people, photos, documents, videos, and private communications. It is designed to run silently in the background, so its existence might not be noticed for a while while the RatMilad spies on the victim.

The code of this infection is believed to be obtained from the AppMilad group, and the fake app distribution method was integrated. Even though the app is advanced and improved, researchers think that the Android malware is choosing targets randomly and companies are not targeted on purpose.