A new piece of spyware, hiding within downloadable Android apps, is targeting Middle Eastern smartphone users and can steal their contact lists, see their location data, and read files on their devices.
The so-called RatMilad spyware, discovered by mobile security provider Zimperium, was originally hidden in an app called Text Me, which was supposedly a virtual private network and phone number spoofing tool, Zimperium said in a blog post. Such apps are commonly used by social media users in countries where access is restricted, the company said.
RatMilad isn’t available in the Android app store, but instead is being distributed through links in social media and in communication apps, Zimperium said. The malware can perform a wide range of spying functions, such as accessing the victim’s contact list and call logs and seeing the phone’s SIM card information.
“Over the past few years, mobile spyware has gone from being a core tool of government and intelligence-gathering organizations operating in the shadows to a threat accessible by everyone to target anyone,” Zimperium researchers wrote. “As smaller spyware organizations rise up, using established distribution models to share new and updated code, along with malware as a service offering through the dark web, the barrier of entry for spyware lowers.”
The spyware campaign, distributed through communications apps, isn’t surprising, said Dale Waterman, the managing director for the Middle East at Breakwater Solutions, a cybersecurity consulting provider.
“Cybercriminals are using trusted platforms like Telegram and WhatsApp to distribute download links to the spyware because they recognize that many governments in the region do not permit the call functionality of apps like WhatsApp,” he said. “If you consider the number of expats living and working across the Middle East, with many away from immediate family and loved ones, then it becomes obvious why bad actors would use a VPN scam to socially engineer access to devices.”
In addition, many Middle Eastern countries are catching up with stronger privacy laws, such as the General Data Protection Regulation in Europe, he added. “Consumers in the region are therefore completely de-sensitized to being constantly bombarded with unsolicited marketing and offers,” Waterman said. “This reduces the likelihood of consumers questioning the origin of the messages.”
Several cybersecurity experts warned smartphone users against installing apps obtained outside official app stores.
Google and Apple both put apps through comprehensive security checks before allowing them on their app stores, noted Petko Stoyanov, the global chief technology officer at cybersecurity provider Forcepoint. While some malware sneaks through, the app stores offer smartphone users a safer experience, he said.
“Smartphone users should only download applications with a significant number of reviews and stars,” he advised. “No one wants to be patient zero, and you should not download any apps with no reviews.”
In addition, smartphone users should pay attention to which permissions are needed by the apps they install, Stoyanov added. “If a simple calculator app is asking for read/write permission to your photos, it might be more than a calculator,” he said.
Other cybersecurity experts agreed that smartphone users should not download apps outside of official app stores. “Using third-party app stores is risky, and sideloading apps found in random Telegram comments is generally asking for trouble,” said Joe Stewart, the principal security researcher at eSentire, a cybersecurity provider.
While it’s unclear who is distributing RatMilad, it looks like a government spying operation, he said. The spyware was discovered in an enterprise environment, but corporate users aren’t typically looking for VPN and phone number spoofing apps, he said.
“Given the targeting and capabilities of the malware, my guess would be that this malware is being used by the Iranian government to spy on dissidents and protesters,” Stewart said. “The wider distribution of the malicious app over Telegram channels instead of spearphishing, which is more typical for state-sponsored targeting, could be due to the mass protests happening in Iran currently.”
