A novel Android malware called RatMilad has been observed targeting a Middle Eastern enterprise mobile device by concealing itself as a VPN and phone number spoofing app.
The mobile trojan functions as advanced spyware with capabilities that receives and executes commands to collect and exfiltrate a wide variety of data from the infected mobile endpoint, Zimperium said in a report shared with The Hacker News.
Evidence gathered by the mobile security company shows that the malicious app is distributed through links on social media and communication tools like Telegram, tricking unsuspecting users into sideloading the app and granting it extensive permissions.
The idea behind embedding the malware within a fake VPN and phone number spoofing service is also clever in that the app claims to enable users to verify social media accounts via phone, a technique popular in countries where access is restricted.
"Once installed and in control, the attackers could access the camera to take pictures, record video and audio, get precise GPS locations, view pictures from the device, and more," Zimperium researcher Nipun Gupta said.
Other features of RatMilad, which is spread through apps named Text Me and NumRent, make it possible for the malware to amass SIM information, clipboard data, SMS messages, call logs, contact lists, and even perform file read and write operations.
Zimperium hypothesized that the operators responsible for RatMilad acquired source code from an Iranian hacker group dubbed AppMilad and integrated it into a fraudulent app for distributing it to unwitting users.
The scale of the infections is unknown, but the cybersecurity company said it detected the spyware during a failed compromise attempt of a customer's enterprise device.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
A post shared on a Telegram channel used to propagate the malware sample has been viewed over 4,700 times with more than 200 external shares, indicating a limited scope.
"The RatMilad spyware and the Iranian-based hacker group AppMilad represent a changing environment impacting mobile device security," Richard Melick, director of mobile threat intelligence at Zimperium, said.
"From Pegasus to PhoneSpy, there is a growing mobile spyware market available through legitimate and illegitimate sources, and RatMilad is just one in the mix."