Last seven days
- First activity
- Jul 13, 2026
- Last activity
- Jul 15, 2026
- Feed role
- Distribution
- Host form
- 0 IP / 2 hostnames
IRATA is an Android remote access Trojan and banking malware family targeting victims in Iran.
Profile source: Mallory opens in a new tabIrata
IRATA is an Android remote access Trojan and banking malware family targeting victims in Iran. It is distributed via SMS phishing campaigns that impersonate government services or other trusted entities and lure users into downloading a malicious APK; earlier observed variants also impersonated an Arabic-language stock market app, and later versions were reported impersonating official Iranian organizations. The malware steals SMS messages, credit card and banking-related data, contacts, and device information, and can intercept SMS-based two-factor authentication codes. It also turns infected devices into bots that propagate additional phishing SMS to other potential victims.
Observed capabilities include reading, receiving, and sending SMS; collecting contacts; gathering device and SIM identifiers such as device ID, SIM serial number, line number, and subscriber ID; monitoring phone and device events including screen state, shutdown, battery state, airplane mode, and package installation/removal; altering ringer mode and volume via commands such as vibrate, silent, and normal; and hiding its app icon for persistence. The malware registers components to handle BOOT_COMPLETED and SMS_RECEIVED, and can observe outgoing SMS activity via content://sms. Reported command support includes ping, pingone, SendSingleMessage, getdevicefullinfo, hideicon, showhideicon, testphone, getsms, and getcontact.
IRATA uses Firebase Cloud Messaging as a command-and-control channel. Stolen SMS data is written to AllSms.txt and uploaded to remote infrastructure, while stolen contacts are written to Contacts.txt and similarly exfiltrated. Reported infrastructure includes usenlghusk.gq with paths /USK/rat.php and /USK/upload.php. The APK was reported to request permissions including INTERNET, READ_SMS, RECEIVE_SMS, SEND_SMS, READ_CONTACTS, RECEIVE_BOOT_COMPLETED, and com.google.android.c2dm.permission.RECEIVE, and to define the package-specific permission ir.shz.shzkisi.permission.C2D_MESSAGE. A reported sample MD5 is ce41d55ee66d509e1e2043d9e238f65a.
Additional reporting states that IRATA has been observed targeting more than 50 banking and cryptocurrency apps and abusing Android accessibility services to steal bank account numbers, balances, and card data.
Samples
MITRE ATT&CK
Reporting
The firm said it's also seen versions of the Iranian remote access Trojan, aka Irata, which security researchers first spotted in 2022 - when it was impersonating an Arabic-language stock market app - that have been tweaked to ape official Iranian organizations.
In this blog, we will talk about IRATA. IRATA comes from a phishing attack to Iran. The victim receives a legitimate-looking SMS with a link to a phishing page that is impersonating government services, and lures them to download a malicious Android application... The malicious application not only collects the victim’s credit card numbers, but also gains access to their 2FA authentication SMS, and turn the victim’s device into a bot capable of spreading similar phishing SMS to other potential victims.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.