Skip to content
Malware family

Irata

IRATA is an Android remote access Trojan and banking malware family targeting victims in Iran.

Profile source: Mallory opens in a new tab

Irata

Family profile

IRATA is an Android remote access Trojan and banking malware family targeting victims in Iran. It is distributed via SMS phishing campaigns that impersonate government services or other trusted entities and lure users into downloading a malicious APK; earlier observed variants also impersonated an Arabic-language stock market app, and later versions were reported impersonating official Iranian organizations. The malware steals SMS messages, credit card and banking-related data, contacts, and device information, and can intercept SMS-based two-factor authentication codes. It also turns infected devices into bots that propagate additional phishing SMS to other potential victims.

Observed capabilities include reading, receiving, and sending SMS; collecting contacts; gathering device and SIM identifiers such as device ID, SIM serial number, line number, and subscriber ID; monitoring phone and device events including screen state, shutdown, battery state, airplane mode, and package installation/removal; altering ringer mode and volume via commands such as vibrate, silent, and normal; and hiding its app icon for persistence. The malware registers components to handle BOOT_COMPLETED and SMS_RECEIVED, and can observe outgoing SMS activity via content://sms. Reported command support includes ping, pingone, SendSingleMessage, getdevicefullinfo, hideicon, showhideicon, testphone, getsms, and getcontact.

IRATA uses Firebase Cloud Messaging as a command-and-control channel. Stolen SMS data is written to AllSms.txt and uploaded to remote infrastructure, while stolen contacts are written to Contacts.txt and similarly exfiltrated. Reported infrastructure includes usenlghusk.gq with paths /USK/rat.php and /USK/upload.php. The APK was reported to request permissions including INTERNET, READ_SMS, RECEIVE_SMS, SEND_SMS, READ_CONTACTS, RECEIVE_BOOT_COMPLETED, and com.google.android.c2dm.permission.RECEIVE, and to define the package-specific permission ir.shz.shzkisi.permission.C2D_MESSAGE. A reported sample MD5 is ce41d55ee66d509e1e2043d9e238f65a.

Additional reporting states that IRATA has been observed targeting more than 50 banking and cryptocurrency apps and abusing Android accessibility services to steal bank account numbers, balances, and card data.

Observed infrastructure

Last seven days

First activity
Jul 13, 2026
Last activity
Jul 15, 2026
Feed role
Distribution
Host form
0 IP / 2 hostnames

Samples

Recent associated samples

MITRE ATT&CK

Irata in ATT&CK

11 distinct techniques

Reporting

Research mentioning Irata

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.