RatMilad: Iranian Hackers Deploy Novel Spyware

By Anthony Eich on October 11, 2022

Executive Summary

As Iranian hacking groups grow in number and proliferation, the use of spyware is becoming increasingly common. The latest malware to be publicized was discovered by the zLabs team at Zimperium, a mobile endpoint security organization. The malware is distributed through social media and disguises itself as a legitimate application, complete with a website boasting it’s features as a phone number spoofing agent. The malware was first detected by Zimperium when the app would not load on an Android device, leading to the security researchers to dive into the code and discover the intent of the software [2][3]. The original app that is downloaded acts as a device that the user then grants multiple questionable permissions to, and then the RatMilad payload is then sideloaded as a secondary installation which seeks to add persistence and establish communications with the command-and-control servers (C2) operated by AppMilad. The malicious hackers are then able to access the devices that it is installed on to steal or delete data, use the cameras and microphones for spying, and several other nefarious purposes [2][3]. At this time the intended target of the malware seems to be focused on Android phones used in the Middle East region, but the code may easily be offered as Malware as a Service (MaaS) on the dark web and could easily migrate to other areas of the world, including the United States of America [6]. The best way to avoid Android malware is to only download applications from the Google Play store, and never from links or websites distributed by unknown sources.


AppMilad is a relatively new hacker group operating out of Iran, according to multiple sources. They are currently not listed by MITRE as an Advanced Persistent Thread (APT) but the tactics that they have recently deployed are similar to other groups attributed to Iranian nation state threat actors. The group has a Twitter account established in October of 2018, and a YouTube channel hosting several “how-to” videos on hacking, promotional propaganda, and the utilization of the malware that they are responsible for distributing, dating as far back as a year ago. The group has been distributing the RatMilad malware using social media service Telegram and directing users to click on a link that takes them to an AppMilad run website which leads users to believe in the legitimacy of the software. The delivery app was originally called TextMe, which is the same name as a legitimate app that can be found on the Apple App Store, as well as on Google Play. However, more recently the malicious app was updated and renamed to NumRent [3][5]. Once installed NumRent asks users to allow permissions that grant the app access to sensitive data such the device’s MAC address, contact lists, call logs, file upload and deletion, as well as sound and video recording capabilities. This gives the AppMilad hackers full control over the infected device which can then be used to spy on the device owner, making this malware particularly dangerous [3].

Figure 1: Screen shot of AppMilad Twitter page


Once control over the infected Android device is established, the RatMilad malware begins to quietly send information to the C2 servers, which have been detected as http[://]textme[.]network and api[.]numrent[.]shop [3]. The devices can be used to listen to and record sound, as well as video. Any data that is stored on the phone is likely to be exfiltrated as well. When examining the Telegram site used to disseminate this malware, at the time that Zimperium published their findings, the site had been visited over 4700 times and shared over 200 times [2][3]. These numbers do not necessarily reflect the actual number of devices in the wild that are infected with the malware though. It is though that, based on the social media focus used to promote the malware, the primary targets are Middle East enterprise devices. In other words, businesses, and individuals in the Middle East. However, there is no limitation as to how far the malware can spread, with targets in the United States and European Union highly likely to become victims as well.


Once thought to be a modus operandi of highly funded and well-trained nation state threat actors, the RatMilad malware shows that in today’s cybersecurity landscape, even small-time hacking groups now have access to relatively sophisticated spyware and prolific means of distribution. The public availability and use of social media shows that while this particular strain of malware has specific and intended targets, it also acts as a means of promoting the skills and talents of the hacking group itself. The proliferation of RatMilad is, in a way, an advertisement for what could become a customized malware that can be purchased through black-market means and used by anyone who has the need or desire to deploy malicious spyware. This is particularly concerning because it shows that as the business of malicious hacking of government and enterprise grows, so does the threat to average, consumer-level users, because the ease of use and distribution of sophisticated malware gives the threat a much wider footprint. The need for better and more advanced security measures is critical, as well as the need for the education of users to know how to safely use devices, and to be cautious of links and promotions received through social media and other untrusted sources. The safest thing to do is not to trust any unsolicited messages in social media, and to only get applications from trusted, licensed sources, such as those found on the Google Play store and the Apple App store. While smart devices are capable of making life more convenient, and giving us powerful tools at our fingertips, it is important to be vigilant in using these devices wisely and safely.


[1] Arghire, I. (2022, October 5). Iranian Hackers Target Enterprise Android Users With New RatMilad Spyware. Retrieved October 6, 2022, from securityweek.com: https://www.securityweek.com/iranian-hackers-target-enterprise-android-users-new-ratmilad-spyware

[2] B., U. (2022, October 6). New Android Malware Detected: RatMilad Spyware Can Steal Data and Read Conversations. Retrieved October 6, 2022, from techtimes.com: https://www.techtimes.com/articles/281554/20221006/new-android-malware-detected-ratmilad-spyware-can-steal-data-and-read-conversations.htm

[3] Gupta, N. (2022, Octover 5). We Smell A RatMilad Android Spyware. Retrieved October 6, 2022, from blog.zimperium.com: https://blog.zimperium.com/we-smell-a-ratmilad-mobile-spyware/

[4] Mascellino, A. (2022, October 6). Android Spyware ‘RatMilad’ Targets Enterprise Devices in Iran. Retrieved October 6, 2022, from infosecurity-magazine.com: https://www.infosecurity-magazine.com/news/android-spyware-target-enterprise/

[5] Toulas, B. (2022, October 5). New Android malware ‘RatMilad’ can steal your data, record audio. Retrieved October 6, 2022, from BleepingComputer.com: https://www.bleepingcomputer.com/news/security/new-android-malware-ratmilad-can-steal-your-data-record-audio/

[6] WAQAS. (2022, October 6). Iranian Hackers Spreading RatMilad Android Spyware Disguised as VPN App. Retrieved October 6, 2022, from hackread.com: https://www.hackread.com/iranian-hackers-ratmilad-android-spyware-vpn/#:~:text=An%20Iranian%20hacking%20group%20is,used%20is%20dubbed%20%E2%80%9CRatMilad.%E2%80%9D