Connect with us

Hi, what are you looking for?



Iranian Hackers Target Enterprise Android Users With New RatMilad Spyware

Zimperium is warning of an Iranian hacking group using a new piece of Android spyware in a broad campaign that has also targeted enterprise users.

Zimperium is warning of an Iranian hacking group using a new piece of Android spyware in a broad campaign that has also targeted enterprise users.

Dubbed RatMilad, the threat can perform a variety of malicious actions once installed on a victim’s device, including manipulating files, recording audio, and modifying application permissions.

The first spyware sample that Zimperium observed was using the VPN and phone number spoofing app Text Me to hide itself. The mobile security firm also identified a live RatMilad sample distributed through NumRent, a variant of Text Me.

According to Zimperium, an Iran-based hacker group named AppMilad is distributing the phone spoofing app through links on social media and various messaging services, luring intended victims into sideloading it on their devices.

“The malicious actors have also developed a product website advertising the app to socially engineer victims into believing it is legitimate,” Zimperium says.

Once the application has been installed and the user has granted it permissions to access enough services, the RatMilad spyware is sideloaded on the device and starts collecting information.

The broad range of permissions the malware asks for allow it to access device data (including MAC address and precise location) and user information (such as contacts, phone calls, SMS messages, and media and files).

Furthermore, the attackers can access the device’s camera and microphone to record video and audio and take pictures.

Advertisement. Scroll to continue reading.

Zimperium says it has identified a Telegram channel that the attackers have used to distribute the malware, and that the post linking to the malicious app had over 4,700 views and was shared more than 200 times. However, those numbers are not conclusive to the extent of RatMilad infections.

“Though this is not like other widespread attacks we have seen in the news, the RatMilad spyware and the Iranian-based hacker group AppMilad represent a changing environment impacting mobile device security,” Zimperium director of mobile threat intelligence Richard Melick said.

Related: Sophisticated Android Spyware ‘Hermit’ Used by Governments

Related: Leaked Docs Show Spyware Firm Offering iOS, Android Hacking Services for $8 Million

Related: Apple, Android Phones Targeted by Italian Spyware: Google

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.