RatMilad Android Malware Targets Middle East Users In New Campaign 

Zimperium released a blog post on Wednesday that details a novel Android malware called RatMilad which is targeting Middle Eastern enterprise mobile devices by concealing itself as a VPN and phone number spoofing app:

The original variant of RatMilad hid behind a VPN, and phone number spoofing app called Text Me with the premise of enabling a user to verify a social media account through a phone, a common technique used by social media users in countries where access might be restricted, or that might want a second, verified account. Armed with the information about the spyware, the zLabs team has recently discovered a live sample of the RatMilad malware family hiding behind and distributed through NumRent, a renamed and graphically updated version of Text Me.

The phone spoofing app is distributed through links on social media and communication tools, encouraging them to sideload the fake toolset and enable significant permissions on the device. But in reality, after the user enables the app to access multiple services, the novel RatMilad spyware is installed by sideloading, enabling the malicious actor behind this instance to collect and control aspects of the mobile endpoint. As seen in the demo installation video below, the user is asked to allow almost complete access to the device, with requests to view contacts, phone call logs, device location, media and files, as well as send and view SMS messages and phone calls.

Clearly the threat actor or actors behind this are sophisticated. Which makes them very dangerous.

Dale Waterman, who is based in Dubai and is the Managing Director at Breakwater Solutions for the Middle East, noted:

     “The fact that this version of the RatMilad malware is targeting mobile phone users in the Middle East with Android operating systems by hiding behind a fake VPN comes as no surprise. Cybercriminals are using trusted platforms like Telegram and WhatsApp to distribute download links to the spyware because they recognize that many governments in the region do not permit the call functionality of apps like WhatsApp. Residents are able to use messaging, but not the (free) call services. If you consider the number of expats living and working across the Middle East, with many away from immediate family and loved ones, then it becomes obvious why bad actors would use a VPN scam to socially engineer access to devices. This is compounded by fact that GDPR-like privacy laws are only now being implemented across the Middle East, but not actively enforced yet by most data protection authorities. Consumers in the region are therefore completely de-sensitized to being constantly bombarded with unsolicited marketing and offers. This reduces the likelihood of consumers questioning the origin of the messages.”

This just highlights that you have to have your head on the metaphorical swivel when it comes to threats as this one is distributed via platforms that are trusted by many.

Leave a Reply

%d bloggers like this: