IRATA is an Android remote access Trojan and banking malware family targeting victims in Iran. It is distributed via SMS phishing campaigns that impersonate government services or other trusted entities and lure users into downloading a malicious APK; earlier observed variants also impersonated an Arabic-language stock market app, and later versions were reported impersonating official Iranian organizations. The malware steals SMS messages, credit card and banking-related data, contacts, and device information, and can intercept SMS-based two-factor authentication codes. It also turns infected devices into bots that propagate additional phishing SMS to other potential victims.
Observed capabilities include reading, receiving, and sending SMS; collecting contacts; gathering device and SIM identifiers such as device ID, SIM serial number, line number, and subscriber ID; monitoring phone and device events including screen state, shutdown, battery state, airplane mode, and package installation/removal; altering ringer mode and volume via commands such as vibrate, silent, and normal; and hiding its app icon for persistence. The malware registers components to handle BOOT_COMPLETED and SMS_RECEIVED, and can observe outgoing SMS activity via content://sms. Reported command support includes ping, pingone, SendSingleMessage, getdevicefullinfo, hideicon, showhideicon, testphone, getsms, and getcontact.
IRATA uses Firebase Cloud Messaging as a command-and-control channel. Stolen SMS data is written to AllSms.txt and uploaded to remote infrastructure, while stolen contacts are written to Contacts.txt and similarly exfiltrated. Reported infrastructure includes usenlghusk.gq with paths /USK/rat.php and /USK/upload.php. The APK was reported to request permissions including INTERNET, READ_SMS, RECEIVE_SMS, SEND_SMS, READ_CONTACTS, RECEIVE_BOOT_COMPLETED, and com.google.android.c2dm.permission.RECEIVE, and to define the package-specific permission ir.shz.shzkisi.permission.C2D_MESSAGE. A reported sample MD5 is ce41d55ee66d509e1e2043d9e238f65a.
Additional reporting states that IRATA has been observed targeting more than 50 banking and cryptocurrency apps and abusing Android accessibility services to steal bank account numbers, balances, and card data.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
11 distinct techniques documented for this family, organized by ATT&CK tactic.
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan that impersonates Iranian government entities and targets banking and cryptocurrency applications to steal financial data.
Android malware delivered via SMS phishing that steals SMS messages, credit card data, contacts, device information, and 2FA codes; uses Firebase Cloud Messaging for command-and-control; can send phishing SMS to contacts, hide its icon, and manipulate phone settings for persistence and control.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.