{"id":90700,"date":"2022-10-08T07:03:56","date_gmt":"2022-10-08T07:03:56","guid":{"rendered":"https:\/\/harchi90.com\/iranian-hackers-spreading-ratmilad-android-spyware-disguised-as-vpn-app\/"},"modified":"2022-10-08T07:03:56","modified_gmt":"2022-10-08T07:03:56","slug":"iranian-hackers-spreading-ratmilad-android-spyware-disguised-as-vpn-app","status":"publish","type":"post","link":"https:\/\/harchi90.com\/iranian-hackers-spreading-ratmilad-android-spyware-disguised-as-vpn-app\/","title":{"rendered":"Iranian Hackers Spreading RatMilad Android Spyware Disguised as VPN App"},"content":{"rendered":"<div>\n<p>An Iranian hacking group is using new Android spyware in an extensive campaign primarily targeting enterprise users, mobile security firm Zimperium has revealed.<\/p>\n<p>The group involved in this campaign goes by the name of \u201cAppMilad\u201d while the spyware being used is dubbed \u201cRatMilad.\u201d  It can perform a wide range of malicious actions after it is installed on a victim&#8217;s device including functionalities like file manipulation, audio recording, and application permission modification.<\/p>\n<h3 id=\"spyware-detailed-analysis\">Spyware Detailed Analysis<\/h3>\n<p>According to Zimperium&#8217;s research, threat actors at AppMilad have devised the campaign to get the malicious app sideloaded onto unsuspecting users&#8217; devices.  Zimperium examined a spyware sample <strong>using the VPN<\/strong> and phone number spoofing app, which was identified as Text Me. <\/p>\n<p>Another live RatMilad sample was distributed through a Text Me variant called NumRent.  Moreover, scammers have developed a product website to distribute the app and socially engineer targets to believe that it is a legit app.<\/p>\n<figure class=\"wp-block-embed aligncenter is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\">\n<div class=\"wp-block-embed__wrapper\">\n<noscript><\/p>\n<div class=\"ast-oembed-container\" style=\"height: 100%;\"><iframe loading=\"lazy\" title=\"RatMilad Installation on Android Device\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/_klnJ_s_ny0?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe><\/div>\n<p><\/noscript>\n<\/div>\n<\/figure>\n<h3 id=\"ratmilad-capabilities\">RatMilad Capabilities<\/h3>\n<p>Since it can cleverly obtain a broad range of permissions, the spyware is capable of accessing crucial device data, such as location and MAC address, and user data, including phone calls, contact numbers, media files, and SMS messages. <\/p>\n<p>Additionally, attackers can access the camera and microphone of the device, which lets them record audio\/video and capture photos.  Other features include collecting clipboard data, SIM information, and performing read\/write operations.<\/p>\n<h3 id=\"potential-targets-and-modus-operandi\">Potential Targets and Modus Operandi<\/h3>\n<p>The malware&#8217;s target is a <strong>Middle Eastern <\/strong>enterprise mobile device that is disguised as a VPN and phone number spoofing application.  After the app is installed and the required permissions are granted, the spyware is quickly sideloaded on the devices and soon starts collecting information.<\/p>\n<p>RatMilad functions as advanced mobile spyware capable of receiving\/executing commands for the exfiltration of a versatile array of data from the compromised mobile endpoint.  The app is distributed via social media links and communication platforms such as <strong>Telegram<\/strong>.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><noscript><img loading=\"lazy\" src=\"https:\/\/i0.wp.com\/www.hackread.com\/wp-content\/uploads\/2022\/10\/iranian-hackers-ratmilad-android-spyware-vpn-app-796x1024.jpg?resize=405%2C521&#038;ssl=1\" alt=\"Iranian Hackers Spreading RatMilad Android Spyware Disguised as VPN App\" class=\"wp-image-101732\" width=\"405\" height=\"521\" srcset=\"https:\/\/i0.wp.com\/www.hackread.com\/wp-content\/uploads\/2022\/10\/iranian-hackers-ratmilad-android-spyware-vpn-app-796x1024.jpg?resize=405%2C521&#038;ssl=1 796w, https:\/\/www.hackread.com\/wp-content\/uploads\/2022\/10\/iranian-hackers-ratmilad-android-spyware-vpn-app-233x300.jpg 233w, https:\/\/www.hackread.com\/wp-content\/uploads\/2022\/10\/iranian-hackers-ratmilad-android-spyware-vpn-app-768x988.jpg 768w, https:\/\/www.hackread.com\/wp-content\/uploads\/2022\/10\/iranian-hackers-ratmilad-android-spyware-vpn-app-380x489.jpg 380w, https:\/\/www.hackread.com\/wp-content\/uploads\/2022\/10\/iranian-hackers-ratmilad-android-spyware-vpn-app-800x1030.jpg 800w, https:\/\/www.hackread.com\/wp-content\/uploads\/2022\/10\/iranian-hackers-ratmilad-android-spyware-vpn-app.jpg 944w\" sizes=\"(max-width: 405px) 100vw, 405px\" data-recalc-dims=\"1\"\/><\/noscript><figcaption>The malicious app being advertised on Telegram (I) \u2013 The website run by threat actors to push RatMilad download (II)<\/figcaption><\/figure>\n<\/div>\n<p>Zimperium <strong>explained<\/strong> that the Telegram channel was used to distribute the malware, with the post linking to the Android app boasting more than 4,700 views.  It was shared over 200 times, but this isn&#8217;t a conclusive number.  It tricks users into sideloading the app and allowing it wide-ranged permissions.<\/p>\n<blockquote class=\"wp-block-quote\" style=\"font-style:normal;font-weight:300\">\n<p>\u201cThe RatMilad spyware and the Iranian-based hacker group AppMilad represent a changing environment impacting mobile device security.\u201d<\/p>\n<p><cite>Richard Melick, Zimperium director of mobile threat intelligence<\/cite><\/p><\/blockquote>\n<h3 id=\"more-iranian-threat-actor-news\"><span class=\"cnvs-badge is-cnvs-badge-color-success\">More Iranian Threat Actor News<\/span><\/h3>\n<ol class=\"is-style-cnvs-list-styled\">\n<li><strong><span style=\"text-decoration: underline;\">Iranian hackers leak trove of Israeli LGBTQ dating app data<\/span><\/strong><\/li>\n<li><strong><span style=\"text-decoration: underline;\">Iranian hackers hit Israel with disk wiper in disguise of ransomware<\/span><\/strong><\/li>\n<li><strong><span style=\"text-decoration: underline;\">Iranian hackers use RDP to hit businesses with Dharma ransomware<\/span><\/strong><\/li>\n<li><strong><span style=\"text-decoration: underline;\">Exposed: 6 year old Iranian espionage attack using Android backdoor<\/span><\/strong><\/li>\n<li><strong><span style=\"text-decoration: underline;\">Microsoft seizes 99 sites used by Iranian hackers for phishing attacks<\/span><\/strong><\/li>\n<\/ol><\/div>\n","protected":false},"excerpt":{"rendered":"<p>An Iranian hacking group is using new Android spyware in an extensive campaign primarily targeting enterprise users, mobile security firm Zimperium has revealed. The group involved in this campaign goes by the name of \u201cAppMilad\u201d while the spyware being used is dubbed \u201cRatMilad.\u201d It can perform a wide range of malicious actions after it is &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/harchi90.com\/iranian-hackers-spreading-ratmilad-android-spyware-disguised-as-vpn-app\/\"> <span class=\"screen-reader-text\">Iranian Hackers Spreading RatMilad Android Spyware Disguised as VPN App<\/span> Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-global-header-display":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[4],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":88820,"url":"https:\/\/harchi90.com\/experts-warn-of-new-ratmilad-android-spyware-targeting-enterprise-devices\/","url_meta":{"origin":90700,"position":0},"title":"Experts Warn of New RatMilad Android Spyware Targeting Enterprise Devices","date":"October 6, 2022","format":false,"excerpt":"A novel Android malware called RatMilad has been observed targeting a Middle Eastern enterprise mobile device by concealing itself as a VPN and phone number spoofing app. The mobile trojan functions as advanced spyware with capabilities that receives and executes commands to collect and exfiltrate a wide variety of data\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"https:\/\/i0.wp.com\/thehackernews.com\/new-images\/img\/b\/R29vZ2xl\/AVvXsEgvfqow2z1XORevUpzKGWWXZ2DP4dMaNi-7cycpa3J_bSZKv0tO6MP40HLl7lvVJDIswOmb6I-YoNMLJym4v9oLZQczujsMqcttB3M_Cvm6E-zLs0XrpwaTZ_SGFjckDfi3CPfijZaii8Z88_btcKeHKKfxm7cDyF3kaVvsirGpb2JWVH0Ot3xGiC2sZg\/s1600\/strike-728.png?resize=350%2C200&ssl=1","width":350,"height":200},"classes":[]}],"fifu_image_url":"https:\/\/www.hackread.com\/wp-content\/uploads\/2022\/10\/iranian-hackers-ratmilad-android-spyware-vpn.jpg","_links":{"self":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/90700"}],"collection":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/comments?post=90700"}],"version-history":[{"count":0,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/90700\/revisions"}],"wp:attachment":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/media?parent=90700"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/categories?post=90700"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/tags?post=90700"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}