RatMilad Spyware Scurries onto Enterprise Android Phones

Attackers have been using a new spyware against enterprise Android devices, dubbed RatMilad and disguised as a helpful app to get around some countries' Internet restrictions.

For now, the campaign is operating in the Middle East in a broad effort to gather victims' personal and corporate information, according to researchers from Zimperium zLabs.

The original version of RatMilad hid behind a VPN- and phone-number-spoofing app called Text Me, researchers revealed in a blog post published Wednesday.

The app's function is purportedly to enable a user to verify a social media account through his or her phone — "a common technique used by social media users in countries where access might be restricted or that might want a second, verified account," Zimperium zLabs researcher Nipun Gupta wrote in the post.

More recently, however, researchers discovered a live sample of the RatMilad spyware being distributed through NumRent, a renamed and graphically updated version of Text Me, via a Telegram channel, he said. Its developers also have created a product website for advertising and distributing the app, to try to fool victims into believing it is legitimate.

"We believe the malicious actors responsible for RatMilad acquired the code from the AppMilad group and integrated it into a fake app to distribute to unsuspecting victims," Gupta wrote.

Attackers are using the Telegram channel to "encourage the sideloading of the fake app through social engineering" and the enablement of "significant permissions" on the device, Gupta added.

Once installed, and after the user enables the app to access multiple services, RatMilad loads, giving attackers almost complete control over the device, researchers said. They then can access the device's camera to take pictures, record video and audio, get precise GPS locations, and view pictures from the device, among other actions, Gupta wrote.

Once deployed, RatMilad accesses like an advanced remote access Trojan (RAT) that receives and executes commands to collect and exfiltrate a variety of data and perform a range of malicious actions, researchers said.

"Similar to other mobile spyware we have seen, the data stolen from these devices could be used to access private corporate systems, blackmail a victim, and more," Gupta wrote. "The malicious actors could then produce notes on the victim, download any stolen materials, and gather intelligence for other nefarious practices."

From an operational perspective, RatMilad performs various requests to a command-and-control server based on certain jobID and requestType, and then dwells and lies in wait indefinitely for the various tasks it can perform to execute on the device, researchers said.

Ironically, researchers initially noticed the spyware when it failed to infect a customer's enterprise device. They identified one app delivering the payload and proceeded to investigate, during which they discovered a Telegram channel being used to distribute the RatMilad sample more broadly. The post had been viewed more than 4,700 times with more than 200 external shares, they said, with the victims mostly situated in the Middle East.

That particular instance of the RatMilad campaign was no longer active at the time the blog post was written, but there could be other Telegram channels. The good news is, so far, researchers have not found any evidence of RatMilad on the official Google Play app store.

The Spyware Dilemma

True to its name, spyware is designed to lurk in the shadows and run silently on devices to monitor victims without raising attention.

However, spyware has itself moved out of the fringes of its previously covert use and into the mainstream, thanks mainly to the blockbuster news that broke last year that the Pegasus spyware developed by Israeli-based NSO Group was being abused by authoritarian governments to spy on journalists, human rights groups, politicians, and attorneys.

Android devices in particular have been vulnerable to spyware campaigns. Sophos researchers uncovered new variants of Android spyware linked to a Middle Eastern APT group back in November 2021. Analysis from Google TAG released in May indicates at least eight governments from across the globe are buying Android zero-day exploits for covert surveillance purposes.

Even more recently, researchers discovered an enterprise-grade Android family of modular spyware dubbed Hermit conducting surveillance on citizens of Kazakhstan by their government.

The dilemma surrounding spyware is that it can have a legitimate use by governments and authorities in sanctioned surveillance operations to monitor criminal activity. Indeed, the companies currently operating in the gray space of selling spyware — including RCS Labs, NSO Group, FinFisher creator Gamma Group, Israeli company Candiru, and Russia's Positive Technologies — maintain that they only sell it to legitimate intelligence and enforcement agencies.

However, most reject this claim, including the US government, which recently sanctioned several of these organizations for contributing to human rights abuses and the targeting of journalists, human rights defenders, dissidents, opposition politicians, business leaders, and others.

When authoritarian governments or threat actors obtain spyware, it can become an extremely nasty business indeed — so much so that there has been much debate about what to do about the continued existence and sale of spyware. Some believe that governments should get to decide who can buy it — which also can be problematic, depending on a government's motives for using it.

Some companies are taking the matter into their own hands to help protect the limited amount of users who may be targeted by spyware. Apple — whose iPhone devices were among those compromised in the Pegasus campaign — recently announced a new feature on both iOS and macOS called Lockdown Mode that automatically locks down any system functionality that could be hijacked by even the most sophisticated, state-sponsored mercenary spyware to compromise a user device, the company said.

Despite all of these efforts to crack down on spyware, the recent discoveries of RatMilad and Hermit appear to demonstrate that they so far have not deterred threat actors from developing and delivering spyware in the shadows, where it continues to lurk, often undetected.