{
	"id": "89b1f168-b039-4b13-833b-f9358411ba50",
	"created_at": "2026-04-06T03:35:58.200507Z",
	"updated_at": "2026-04-10T03:24:50.28578Z",
	"deleted_at": null,
	"sha1_hash": "06a8cdd02f63adc927f443d64f3c8ba2e05a7c87",
	"title": "We Smell A RatMilad Android Spyware - Zimperium",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4246062,
	"plain_text": "We Smell A RatMilad Android Spyware - Zimperium\r\nBy Nipun Gupta\r\nPublished: 2022-10-05 · Archived: 2026-04-06 03:34:20 UTC\r\nShare this blog\r\nOver the past few years, mobile spyware has gone from being a core tool of government and intelligence-gathering organizations operating in the shadows to a threat accessible by everyone to target anyone. As smaller\r\nspyware organizations rise up, using established distribution models to share new and updated code, along with\r\nmalware as a service offering through the dark web, the barrier of entry for spyware lowers. Recently, the\r\nZimperium zLabs research team discovered spyware targeting Middle Eastern enterprise mobile devices and\r\nbegan monitoring the activity of a novel Android spyware family that we have since named RatMilad.\r\nThe original variant of RatMilad hid behind a VPN, and phone number spoofing app called Text Me with the\r\npremise of enabling a user to verify a social media account through a phone, a common technique used by social\r\nmedia users in countries where access might be restricted, or that might want a second, verified account. Armed\r\nwith the information about the spyware, the zLabs team has recently discovered a live sample of the RatMilad\r\nmalware family hiding behind and distributed through NumRent, a renamed and graphically updated version of\r\nText Me.\r\nThe phone spoofing app is distributed through links on social media and communication tools, encouraging them\r\nto sideload the fake toolset and enable significant permissions on the device. But in reality, after the user enables\r\nthe app to access multiple services, the novel RatMilad spyware is installed by sideloading, enabling the malicious\r\nactor behind this instance to collect and control aspects of the mobile endpoint. As seen in the demo installation\r\nvideo below, the user is asked to allow almost complete access to the device, with requests to view contacts, phone\r\ncall logs, device location, media and files, as well as send and view SMS messages and phone calls.\r\nInstallation Video: https://drive.google.com/file/d/1ebRwcf7Sv173GUDG2wQPChXg9_q38nAl/view?\r\nusp=sharing\r\nA sample of this previously unknown spyware was discovered by Zimperium’s on-device machine-learning\r\nmalware engine. The RatMilad spyware has not been found in any Android app store. Evidence shows the\r\nattackers used Telegram to distribute and encourage the sideloading of the fake app through social engineering.\r\nOnce installed and in control, the attackers could access the camera to take pictures, record video and audio, get\r\nprecise GPS locations, view pictures from the device, and more.\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 1 of 27\n\nImage 1: Screenshot of Telegram advertising the malicious application\r\nZimperium zLabs identified the RatMilad spyware sample after a failed infection of a Zimperium zIPS-protected\r\ndevice. The zLabs team promptly launched an investigation after identifying the novel code.\r\nNote: At the time of publishing this blog, this instance of the RatMilad campaign was no longer active.\r\nIn this blog, we will:\r\nCover the capabilities of the Android spyware;\r\nDiscuss the techniques used to collect and store data; and\r\nShow the technical breakdown of the spyware code.\r\nWhat are RatMilad Spyware’s capabilities?\r\nThe mobile application poses a threat to Android devices by functioning as an advanced Remote Access Trojan\r\n(RAT) with spyware capabilities that receives and executes commands to collect and exfiltrate a wide variety of\r\ndata and perform a wide range of malicious actions, such as:\r\nMAC Address of Device\r\nContact List\r\nSMS List\r\nCall Logs\r\nAccount Names and Permissions\r\nClipboard Data\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 2 of 27\n\nGPS Location Data\r\nSim Information – MobileNumber , Country , IMEI , Simstate\r\nFile list\r\nRead, Write, Delete Files\r\nSound Recording\r\nFile upload to C\u0026C\r\nList of the installed applications, along with their permissions.\r\nSet new application permissions.\r\nPhone info – Model, Brand, buildID, android version, Manufacturer.\r\nSimilar to other mobile spyware we have seen, the data stolen from these devices could be used to access private\r\ncorporate systems, blackmail a victim, and more. The malicious actors could then produce notes on the victim,\r\ndownload any stolen materials, and gather intelligence for other nefarious practices.\r\nHow Does RatMilad Spyware Work?\r\nThe first detected variant of the RatMilad spyware disguised itself inside a VPN application advertising phone\r\nnumber spoofing capabilities. These apps are often used to verify accounts of popular communication and social\r\nmedia apps like WhatsApp and Telegram. After installation, the application requests permissions for access to\r\nvarious device settings while also installing the malicious code itself.\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 3 of 27\n\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 4 of 27\n\nImage 2: Screenshot of the fake sideloaded Android application\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 5 of 27\n\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 6 of 27\n\nImage 3: Screenshot of the fake sideloaded Android application\r\nThe most recent and active RatMilad spyware is disguising itself behind a fake app named NumRent, an updated\r\ndesign to the previous TextMe app to continue to distribute the spyware(Images 4 to 9). The malicious actors have\r\nalso developed a product website advertising the app to socially engineer victims into believing it is legitimate\r\n(Image 9).\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 7 of 27\n\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 8 of 27\n\nImage 4: Images of a new live variant of RatMilad.\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 9 of 27\n\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 10 of 27\n\nImage 5: Images of a new live variant of RatMilad\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 11 of 27\n\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 12 of 27\n\nImage 6: Images of a new live variant of RatMilad.\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 13 of 27\n\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 14 of 27\n\nImage 7: Images of a new live variant of RatMilad.\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 15 of 27\n\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 16 of 27\n\nImage 8: Images of a new live variant of RatMilad.\r\nImage 9: The website http[://]numrent[.]shop which is used to distribute the malware.\r\nThe sample performs various requests to the C\u0026C based on certain jobID and requestType .\r\nThe first request is a handshake request:\r\njobID : 0\r\nrequestType : 1\r\njobResult : mac address of the device.\r\nserverURL : http://textme.network:2082/j/\r\nRequest Method : POST\r\nNext it sends various requests to the C\u0026C server with different jobIDs and data, which are the following:\r\njobID : 2\r\nrequestType : 5\r\njobResult : Contact List\r\nserverURL : http://textme.network:2082/j/\r\nRequest Method : POST\r\njobID : 1\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 17 of 27\n\nrequestType : 5\r\njobResult : SMS List (inbox , sent , draft , outbox , failed , queued , ALL)\r\nserverURL : http://textme.network:2082/j/\r\nRequest Method : POST\r\njobID : 3\r\nrequestType : 5\r\njobResult : Call Logs (Date: %s Number: %s Type: %s Duration: %s)\r\nserverURL : http://textme.network:2082/j/\r\nRequest Method : POST\r\njobID : 20\r\nrequestType : 5\r\njobResult : Recursive Directory listing starting from “/mnt/sdcard/”\r\nserverURL : http://textme.network:2082/j/\r\nRequest Method : POST\r\njobID : 12\r\nrequestType : 5\r\njobResult : AccountManager List (name and type of account)\r\nserverURL : http://textme.network:2082/j/\r\nRequest Method : POST\r\njobID : 22\r\nrequestType : 5\r\njobResult : Clipboard Data\r\nserverURL : http://textme.network:2082/j/\r\nRequest Method : POST\r\njobID : 19\r\nrequestType : 5\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 18 of 27\n\njobResult : locationManager.getLastKnownLocation\r\nserverURL : http://textme.network:2082/j/\r\nRequest Method : POST\r\nAfter sending all these requests to the server the app dwells and lies in wait indefinitely for tasks to execute on the\r\ndevice. The request looks like the following:\r\nrequestType : 2\r\nAppID : randomUUID\r\njobResult : mac address of the device.\r\nThe response consists of a json with “jobType” variable. If jobType is -1 the app exits. If the app does not exit, it\r\nthen performs various other tasks based on the value of jobType.\r\nDepending on the jobType value, the following actions can be performed:\r\nGet SMS List (json should also contain “smsCount”)\r\nGet Contact List \r\nGet Call Log (“logCount”)\r\nGet Sim Info \r\nmobileNumber\r\ncountryISO\r\ncallState\r\nserialNumber\r\nsimOperatorName\r\nIMEI\r\nsimState\r\nPerform “ls” on path (“path”)\r\nDelete File (“path”)\r\nUpload file (“path”)\r\nWrite file (“path”)\r\nSound Recording (“initDelay” and “duration”) \r\nGet Location\r\nGet Accounts\r\nGet Phone info\r\nhashMap0.put(“manufacturer”, Build.MANUFACTURER);\r\nhashMap0.put(“model”, Build.MODEL);\r\nhashMap0.put(“brand”, Build.BRAND);\r\nhashMap0.put(“product”, Build.PRODUCT);\r\nhashMap0.put(“device”, Build.DEVICE);\r\nhashMap0.put(“host”, Build.HOST);\r\nhashMap0.put(“buildID”, Build.ID);\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 19 of 27\n\nhashMap0.put(“timezone”, TimeZone.getDefault().getDisplayName());\r\nhashMap0.put(“androidVersion”, “0”);\r\nhashMap0.put(“perRequestDelay”, “15”);\r\nhashMap0.put(“jitter”, “5”);\r\nhashMap0.put(“packageName”, this.context.getPackageName());\r\nhashMap0.put(“IMEI”, this.getIMEI());\r\nhashMap0.put(“simInfo”, this.getSimInfo());\r\nhashMap0.put(“mac”, this.getMACAddress(null));\r\nhashMap0.put(“installSource”, Globals.installSource);\r\nhashMap0.put(“refID”, “ww”);\r\nhashMap0.put(“grantedPermissions”, this.getListOfGrantedPermissions());\r\nList recursive file directory (“path”)\r\nRecursively upload all files from path (“path”)\r\nGet List of packages\r\nGet List of Granted permissions to each package\r\nGet permissions granted to app\r\nSet new application permission – Can be used to grant the malicious application permissions such as\r\naccessibility services, which is widely used for bankers and other malware)\r\nDelete permission  – Adds or deletes permission for this malware in a sharedpreferences list that it keeps\r\nto track those permissions.\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 20 of 27\n\nFigure 1 : C\u0026C and JobIDs showing what the C\u0026C can request from the device.\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 21 of 27\n\nFigure 2 : Sending SMS, CallLogs and Contacts to C\u0026C\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 22 of 27\n\nFigure 3: File read/write\r\nFigure 4: FileDelete\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 23 of 27\n\nFigure 5: Sound recorder.\r\nFigure 6: Initial data sent to the server. (Handshake and SMS, contacts, call logs, and filetree)\r\nVideo of the requests intercepted using Burp Suite (This can be uploaded after blurring some fields):\r\nhttps://drive.google.com/file/d/1C_M6v9j26g-zZeTlX6PITkuk6DBlASFD/view?usp=sharing\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 24 of 27\n\nThe app sends the below requests on initialization.\r\nFigure 7: Location request to the server.\r\nFigure 8: Stealing Contacts\r\nFigure 9: Stealing SMS\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 25 of 27\n\nFigure 10: Stealing the entire directory structure.\r\nThe Victims of the RatMilad Spyware Campaign\r\nThe Zimperium zLabs mobile threat research team detected the failed spyware infection of a customer’s enterprise\r\ndevice, identifying one application delivering the spyware payload. During the investigation into the threat and\r\ndistribution methods, the Telegram channel used to distribute the sample was discovered. While inconclusive, the\r\npost had been viewed over 4,700 times with 200+ external shares.\r\nSpyware such as RatMilad is designed to run silently in the background, constantly spying on its victims without\r\nraising suspicion. We believe the malicious actors responsible for RatMilad acquired the code from the AppMilad\r\ngroup and integrated it into a fake app to distribute to unsuspecting victims. The evidence does not point to a\r\ncoordinated campaign against singular targets, instead representing a broader operation. For any device that has\r\nbeen compromised by spyware, the malicious actors behind RatMilad have potentially gathered significant\r\namounts of personal and corporate information on their victims, including private communications and photos.\r\nZimperium vs. RatMilad Spyware\r\nZimperium zIPS customers are protected against RatMilad spyware with our on-device z9 Mobile Threat Defense\r\nmachine learning engine. Zimperium’s on-device determination prevented the infection on the customer’s Android\r\ndevice, keeping both their personal and enterprise data private and secure. At the time of discovery, VirusTotal had\r\nno record of the malware, and traditional signature-based approaches would not have caught this spyware.\r\nTo ensure your Android users are protected from RatMilad spyware, we recommend a quick risk assessment. Any\r\napplication with RatMilad will be flagged as a Suspicious App Threat on the device and in the zConsole. Admins\r\ncan also review which apps are sideloaded onto the device, increasing the mobile attack surface and leaving data\r\nand users at risk.\r\nZimperium vs. RatMilad Video:\r\nhttps://drive.google.com/file/d/1XKS1fipsiOVpGifqPjFFE6maQOWY44lY/view?usp=sharing\r\nIndicators of Compromise\r\nApplication Names\r\ncom.example.confirmcode\r\ncom.example.confirmcodf\r\ncom.example.confirmcodg\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 26 of 27\n\nC\u0026C Servers\r\nhttp[://]textme[.]network\r\napi[.]numrent[.]shop\r\nSHA-256 Hashes\r\n31dace8ecb943daa77d71f9a6719cb8008dd4f3026706fb44fab67815546e032\r\n3da3d632d5d5dde62b8ca3f6665ab05aadbb4d752a3e6ef8e9fc29e280c5eb07\r\n0d0dcc0e2eebf07b902a58665155bd9b035d6b91584bd3cc435f11beca264b1e\r\n12f723a19b490d079bea75b72add2a39bb1da07d0f4a24bc30313fc53d6c6e42\r\nbae6312b00de73eb7a314fc33410a4d59515d56640842c0114bd1a2d2519e387\r\n30e5a03da52feff4500c8676776258b98e24b6253bc13fd402f9289ccef27aa8\r\nc195a9d3e42246242a80250b21beb7aa68c270f7b2c97a9c93b17fbb90fd8194\r\n73d04d7906706f90fb81676d4f023fbac75b0047897b289f2eb34f7640ed1e7f\r\nSource: https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nhttps://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware\r\nPage 27 of 27\n\n https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware   \nFigure 1 : C\u0026C and JobIDs showing what the C\u0026C can request from the device.\n  Page 21 of 27",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://zimperium.com/blog/we-smell-a-ratmilad-mobile-spyware"
	],
	"report_names": [
		"we-smell-a-ratmilad-mobile-spyware"
	],
	"threat_actors": [
		{
			"id": "9c053829-e1ff-4b85-9d4f-f2a9af4bbdd4",
			"created_at": "2023-11-17T02:00:07.613931Z",
			"updated_at": "2026-04-10T02:00:03.460689Z",
			"deleted_at": null,
			"main_name": "AppMilad",
			"aliases": [],
			"source_name": "MISPGALAXY:AppMilad",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775446558,
	"ts_updated_at": 1775791490,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/06a8cdd02f63adc927f443d64f3c8ba2e05a7c87.pdf",
		"text": "https://archive.orkl.eu/06a8cdd02f63adc927f443d64f3c8ba2e05a7c87.txt",
		"img": "https://archive.orkl.eu/06a8cdd02f63adc927f443d64f3c8ba2e05a7c87.jpg"
	}
}