S1241: RatMilad
RatMilad is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of RatMilad have been disguised as VPN applications and a fake app named NumRent. Upon installation, RatMilad employs multiple Collection techniques to collect sensitive information before uploading the collected data to its command and control (C2) server. [1]
Analyst context for executives and security teams
RatMilad matters because it turns an Android phone into a potential enterprise data-collection point. The ATT&CK entry describes an Android RAT with spyware functionality, disguised in variants as VPN applications and a fake NumRent app, that collects sensitive information and uploads it to C2. For leaders, the issue is not only malware on a handset; it is whether unmanaged or over-permissioned mobile devices can expose contacts, SMS, call logs, accounts, location, audio/video, local files, and network context used in business operations.
Executive priority
Prioritize this as a mobile security, identity, and incident-readiness problem. Executives should ask whether enterprise Android devices are enrolled, inventoried, restricted to trusted app sources, and monitored for risky permissions, dynamic code loading, and suspicious web-protocol C2. The relationship set also includes exfiltration over C2 and data destruction, so IR plans should cover both confidentiality loss and device-level availability or evidence-preservation decisions. Compliance and audit teams should confirm they can produce evidence of mobile app control, permission governance, and response actions for suspected spyware on corporate or BYOD Android devices.
Technical view
ATT&CK provides no official detection text for RatMilad, so defensive validation should be behavior-led. For Android devices, confirm visibility into app installation events, app identity and source, requested and granted permissions, runtime code download behavior, access to contacts/SMS/call logs/accounts/location/microphone/camera/clipboard/local files, and outbound HTTP/HTTPS communications consistent with C2 or exfiltration. Relationship context maps RatMilad to discovery, collection, C2 over web protocols, exfiltration over C2, phishing, and data destruction techniques. SOC and IR teams should test whether mobile telemetry can connect these behaviors into one case rather than treating them as isolated permission or network alerts.
Likely telemetry
- MDM/UEM inventory for Android device enrollment, app inventory, installation source, package metadata, and compliance posture
- Mobile threat defense or mobile EDR alerts for spyware-like behavior, dynamic code loading, suspicious app reputation, and abnormal permission use
- Android permission grant history for microphone, camera, location, contacts, SMS, call logs, accounts, clipboard access, storage, and background location where available
- Network, DNS, proxy, secure web gateway, or mobile VPN logs showing unusual HTTP/HTTPS destinations, repeated beaconing, or uploads from mobile devices
- File, media, and local storage access events where the mobile security stack can provide them
Detection direction
- Do not rely on a single RatMilad signature; ATT&CK does not provide official detection logic here. Validate coverage across the mapped behaviors: fake or unexpected VPN-style apps, broad sensitive permissions, dynamic code download, discovery of installed software/files/network/system data, collection APIs, and outbound web-protocol traffic.
- Tune for permission combinations that are unusual for the app’s business purpose, especially when contacts, SMS, call logs, accounts, location, microphone, camera, clipboard, and storage access appear together with external communications.
- Review legitimate false-positive sources such as approved VPNs, device management agents, backup tools, collaboration apps, and security apps that may request broad permissions or communicate frequently over HTTPS.
- Prioritize correlation: app install plus sensitive permission grants plus collection activity plus suspicious outbound traffic is more useful than any single event.
- Identify blind spots explicitly: unmanaged BYOD, disabled mobile logging, lack of app-source visibility, encrypted web traffic without destination context, and OS privacy limits may prevent confident detection.
Mitigation priorities
- Start with mobile asset and ownership clarity: know which Android devices access enterprise data and whether they are corporate-managed or BYOD.
- Use MDM/UEM controls to restrict untrusted app installation and enforce trusted app sources where policy allows, with extra scrutiny for VPN-themed or business-utility apps.
- Apply least-privilege permission governance: challenge apps that request contacts, SMS, call logs, accounts, location, microphone, camera, clipboard, or storage without a clear business need.
- Use mobile threat defense and network controls to monitor risky apps, dynamic code loading indicators, and suspicious outbound web-protocol destinations from mobile devices.
- Prepare IR playbooks for suspected mobile spyware: isolate enterprise access, preserve evidence where feasible, review exposed accounts/data, rotate credentials when warranted by evidence, and decide whether device wipe/rebuild is required.
Analyst notes and limits
This take is based on the supplied MITRE ATT&CK S1241 object and its stated relationships. RatMilad is described as Android malware used to target enterprise mobile devices in the Middle East since at least 2021, with variants disguised as VPN applications and NumRent. The mapped techniques emphasize collection, discovery, web-protocol C2, exfiltration over C2, phishing, and data destruction. For Glexia services, the key validation question is whether mobile controls can prove coverage across app provenance, permissions, collection behavior, and network egress.
Official detection guidance was not provided, tactics were not specified in the supplied object fields, and no package names, hashes, C2 indicators, or customer-specific exposure data were supplied. Local device management, mobile threat telemetry, network logs, and forensic evidence are required before asserting infection, impact, or detection coverage.
RatMilad
RatMilad is an Android remote access tool (RAT) with spyware functionality that has been used to target enterprise mobile devices in the Middle East since at least 2021. Variants of RatMilad have been disguised as VPN applications and a fake app named NumRent. Upon installation, RatMilad employs multiple Collection techniques to collect sensitive information before uploading the collected data to its command and control (C2) server. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1636.002 | Call Log Sub-technique | RatMilad has accessed the device’s call log.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1636.005 | Accounts Sub-technique | RatMilad has collected account names and their types from the compromised device.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1418 | Software Discovery | RatMilad has collected package names.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1660 | Phishing | RatMilad has concealed itself behind variants of a phone number spoofing application, which was distributed through links on social media and communication platforms.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1636.003 | Contact List Sub-technique | RatMilad has accessed the device’s contact list.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1437.001 | Web Protocols Sub-technique | RatMilad has used HTTP POST requests for communicating with its C2 server.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1414 | Clipboard Data | RatMilad has collected clipboard content.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1533 | Data from Local System | RatMilad has listed files and pictures on the device starting from `/mnt/sdcard/`.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1646 | Exfiltration Over C2 Channel | RatMilad has exfiltrated collected data to the C2.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1407 | Download New Code at Runtime | RatMilad has used a fake application to request permissions and to download itself.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1430 | Location Tracking | RatMilad has collected the device’s last known location.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1426 | System Information Discovery | RatMilad has collected device information such as model, brand, buildId, Android version and manufacturer.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1636.004 | SMS Messages Sub-technique | RatMilad has accessed the device’s SMS messages, including messages that were in the inbox, sent, draft, outbox, failed, and queued.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1512 | Video Capture | RatMilad has taken photos and videos using the device’s camera.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1662 | Data Destruction | RatMilad has deleted files on the device.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1429 | Audio Capture | RatMilad has captured audio from the device.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1422 | System Network Configuration Discovery | RatMilad has collected device information such as MAC address, IMEI and phone number.CitationZimperiumGupta_RatMilad_Oct2022 |
| Mobile | T1420 | File and Directory Discovery | RatMilad has listed files and pictures on the device starting from `/mnt/sdcard/`.CitationZimperiumGupta_RatMilad_Oct2022 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 3eab7266247c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ZimperiumGupta_RatMilad_Oct2022
Gupta, N. (2022, October 5). We Smell A RatMilad Android Spyware. Retrieved August 27, 2025.
Open source URL -
[2]
mitre-attack S1241Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.