The Limited Times

Now you can see non-English news...

Recording app became malicious and spied on users - voila! technology

2023-05-23T09:53:16.159Z

Highlights: ESET researchers have discovered an Android application that includes Trojan horse malware. The app was available for download on the Google Store, the Play Store, as a legitimate app in September 2021. The malicious app is capable of recording audio using the device's microphone and stealing files. The malware added to the clean version of iRecorder is based on AhMyth malware, which is open source and defined as a Remote Access Trojan (RAT) and has been modified into a malware called "AhRAT"


According to information security company ESET, the malicious app is capable of recording audio using the device's microphone and stealing files, which may indicate that it was part of a campaign


Malicious app (Photo: ShutterStock)

ESET researchers have discovered an Android application that includes Trojan horse malware called "iRecorder - Screen Recorder". The app was available for download on the Google Store, the Play Store, as a legitimate app in September 2021, and the malicious features were likely added to these in August 2022. According to ESET, during its lifetime, the app has been installed on more than 50,000 devices.

The malware added to the clean version of iRecorder is based on AhMyth malware, which is open source and defined as a Remote Access Trojan (RAT) and has been modified into a malware called "AhRAT" by ESET. The malicious app is capable of recording audio using the device's microphone and stealing files, which may indicate that it was part of a spy campaign.

ESET's research body did not detect AhRAT malware anywhere other than the Google Play Store. However, this isn't the first time AhMyth-based Android malware has been available for download on the official store; ESET published a study of such an application infected with a Trojan horse in 2019. The spyware from that case, which is based on AhMyth's fundamentals, bypassed Google's app verification process twice and managed to stay on the store as malware providing radio streaming services. On the other hand, the iRecorder app can still be found in alternative and unofficial app stores, and the developer still offers other apps for download in the Play Store, but these do not include malicious code.

"The research on the AhRAT case serves as an excellent example of how an app that starts out as legitimate can become malicious, even after a few months, thus spying on its users and compromising their privacy. It is possible that the software developer intended to build a large user base before infecting their Android devices with the update, or that a malicious actor created this change in the app, but so far we have no evidence to support either of these two hypotheses," explains ESET researcher Lukas Stefanko, who discovered and investigated the threat.

The AhRAT remote-controlled malware is a custom variant of the remote access Trojan Horse (RAT) known as AhMyth, indicating that the malware developers have put a lot of effort into understanding the code for the app and its backend, and thus adapted it to their needs.

Apart from providing the legitimate screen recording option, the malicious iRecorder app could record ambient audio from the device's microphone and upload the recordings to the attacker's command and control server. It could also leak files stored on the device with extensions representing web pages, images, audio, videos, and various formats used to compress data.

iRecorder - Screen Recorder app (Photo: ESET)

Android users who installed the early version of iRecorder (earlier than 1.3.8), which did not include any malicious features, unknowingly exposed their devices to AhRAT malware if they updated the app manually or automatically, and they were not even required to give the app additional permissions.

"Fortunately, preventive measures against such malicious actions have already been implemented in Android versions 11 and above, with the main measure being App Hibernation. This option puts apps that haven't been running for several months to sleep, resetting their running permissions and preventing malicious apps from doing what they were designed to do. The malicious application was removed from the Play Store following our alert, proving that the need for multi-layered security, such as ESET Mobile Security, is still an essential part of protecting devices from potential security breaches," concludes Stefanko.

ESET's body of research has yet to find any solid evidence linking this activity to a specific campaign or attack group (APT).

  • technology
  • Privacy & Security

Tags

  • android

Source: walla

All tech articles on 2023-05-23

You may like

Trends 24h

Tech/Game 2024-03-27T18:05:36.686Z

Latest

© Communities 2019 - Privacy

The information on this site is from external sources that are not under our control.
The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.