RatMilad Mobile Malware

RatMilad is a mobile malware threat targeting Android devices. RatMilad has been mainly observed being used in attack operations against mobile users in the Middle East. The goal of the attacks appears to be cyber espionage and obtaining sensitive and confidential data. Details about RatMilad were released to the public in a report published by the cybersecurity researchers at the mobile security firm Zimperium.

Infection Vector

According to the report, RatMilad's operators are spreading the threat via a fake mobile application named NumRent. The application is advertised as a convenient tool for the generation of fake numbers that users can then use to create accounts for various social media platforms. The cybercriminals have even created a dedicated promotional website for the application to make it appear more legitimate. However, NumRent is mainly distributed through Telegram, as it is not available on the Google Play Store or popular third-party application platforms. When installed on the device, NumRent will ask for several, crucial device permissions that it abuses to sideload the payload of the RatMilad threat.

Threatening Capabilities

Once established on the victim's Android device, RatMilad can perform numerous, invasive activities, depending on the specific goals of the attackers. The threat hides its actions behind a VPN connection. Apart from obtaining basic device information, RatMilad also can collect important private data, including the device's MAC address, the victim's contact list, call logs, account names and permissions, GPS location, SIM information, list of stored files, any clipboard data, list of installed applications, etc. More importantly, RatMilad can manipulate the files on the device by deleting or exfiltrating chosen files. The attackers also can use the threat to take over the device's microphone and use it to record audio or listen in on conversations taking place around the device.