
Researchers have discovered a android spyware family dubbed RatMilad that is been involved in infecting devices in the Middle East.
The original variant of the previously unknown RatMilad spyware hide behind a VPN and phone number spoofing app called Text Me. Also, they uncovered a live sample of the malware family distributed through NumRent, a graphically updated version of Text Me.
Since RatMilad is not available on the Google Play Store or the third-party stores, the attackers use Telegram as their primary distribution channel. The threat actors also developed a dedicated website for distributing the spyware.
The spyware is installed by sideloading after a user enables the app to access multiple services. This allows the malicious actors to collect and control aspects of the mobile endpoint.
Once after the installation, the user is asked to allow access to contacts, phone call logs, device location, media, and files, alongside the ability to send and view SMS messages and phone calls.
A successful attack will result in threat actors accessing the camera to take pictures, record video and audio, get precise GPS locations. The group behind this spyware attack has potentially gathered critical and private data from mobile devices, leaving individuals and enterprises at risk.
Awareness
- Beware of malicious links distributed online.
- Avoid downloading applications from untrusted sources.
- Check for application reviews and concerns on the internet.
Indicators of Compromise
Application Names:
- com.example.confirmcode
- com.example.confirmcodf
- com.example.confirmcodg
C&C Servers:
- hxxp://textme[.]network
- api[.]numrent[.]shop
Hashes
- 31dace8ecb943daa77d71f9a6719cb8008dd4f3026706fb44fab67815546e032
- 3da3d632d5d5dde62b8ca3f6665ab05aadbb4d752a3e6ef8e9fc29e280c5eb07
- 0d0dcc0e2eebf07b902a58665155bd9b035d6b91584bd3cc435f11beca264b1e
- 12f723a19b490d079bea75b72add2a39bb1da07d0f4a24bc30313fc53d6c6e42
- bae6312b00de73eb7a314fc33410a4d59515d56640842c0114bd1a2d2519e387
- 30e5a03da52feff4500c8676776258b98e24b6253bc13fd402f9289ccef27aa8
- c195a9d3e42246242a80250b21beb7aa68c270f7b2c97a9c93b17fbb90fd8194
- 73d04d7906706f90fb81676d4f023fbac75b0047897b289f2eb34f7640ed1e7