Rana malware on Android snoops on messaging applications

December 19, 2020
rana malware android spyware messenger applications

The recently submitted malware analysis report of cybersecurity experts tackled the current activity of the state-sponsored hacker group of Iran. Known as APT39 or Chafer, Cadelspy, Remexi, and ITG07, the group was allegedly the back adversary of the Ministry of Intelligence and Security of the country which is registered as RANA Corporation. The group is said to be targeting organizations and individuals inside and outside the country that Iran believed a National Security threat. The spread of intrusion as per submitted evidence shows that it includes journalists, telecom providers, travel services, healthcare facilities, and educational institutions that are known in prominent countries globally. Mainly companies in the United States that have been infected by malware that is linked to the group.

Based on the submitted report, the group has been currently targeting mobile devices, specifically devices that run on the Android system. Their latest malware can infiltrate voice and chat communication on various well-known messaging platforms such as Viber, Skype, Telegram, Instagram, and Talaeii.  Talaeii is a home-based app wherein the latter received security complaints from the Center of Human Rights in Iran (CHRI).


Through an android app that was developed by Rana Corporation, it was allegedly reported that the app was blended with the attacker’s malicious code – optimizer.apk.


The APT group can then perform data exfiltration of devices’ information, contacts, messaging, and auto-answer. The latter allows the adversary to listen to ongoing voice communications, and to hide detection for malicious traffic records, it also features to automatically connect to any available WIFI services.

In a separate report submitted by the Federal Bureau of Investigation (FBI), they have highlighted this current activity targeting android mobile devices. They have also cited some evidence to properly link the APT39 group to the Rana Corporation and the MOIS. Their report also includes Indicators of Compromise (IOC) to provide public warnings and educate them about the ongoing operation of the hacker group. They also advised to immediately report to the nearest FBI office in case such an incident has been encountered by a company or sole victim.

The APT39 group has already received sanction from the United States Department of the Treasury for conviction of malware propaganda that victimized mostly Iranian nationals. According to Executive Order (E.O.) 13553, all enlisted employees have been given sanctions, and U.S. companies have been prohibited from doing business with Rana Corp. The act only shows that the U.S. government is severe with its campaign against the illicit operations of Iran regardless who the target is around the globe that they deemed as a threat to them or the intel can be an edge on strengthening their forces.

About the author

Leave a Reply