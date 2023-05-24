



An app with more than 50,000 downloads from Google Play secretly recorded the surrounding sounds every 15 minutes and sent them to the app developer, according to researchers at security firm ESET.

In a post published on Tuesday, ESET researcher Lucas Stefanko said the app, titled “iRecorder Screen Recorder,” will be launched in September 2021 as a harmless app that allows users to record the screen of their Android device. said that it has started offering on Google Play. After 11 months, the legitimate app has been updated with completely new functionality. This included the ability to remotely turn on the device’s microphone to record audio, connect to attacker-controlled servers, and upload audio and other sensitive files stored on the device. .

Record secretly every 15 minutes

The covert spy feature was implemented using code from AhMyth, an open-source RAT (Remote Access Trojan) that has been built into several other Android apps in recent years. Once the RAT has been added to iRecorder, it will allow any user of the previously unsuccessful app to record nearby audio on their phone and send it over an encrypted channel to a developer-specified server. I received an update. Over time, the code taken from AhMyth has changed significantly. This shows that the developers have become proficient with open source RATs. ESET named his newly modified RAT in iRecorder He AhRat.

Stefanko installed the app on lab devices repeatedly, with the same result each time. The app received instructions to record a minute of audio and send it to the command and control server of an attacker colloquially known in the security field. Circle as C&C or C2. From now on, the app will make him receive the same instructions every 15 minutes indefinitely. In his e-mail he wrote:

During my analysis, AhRat was able to actively exfiltrate data and record microphones (I deleted and reinstalled the app several times, but the app always behaves the same. was).

Data exfiltration is enabled based on the following commands: [a] config file returned from [the] C&C. During my analysis the config file always returned the command to record audio. in short, [it] I turned on the mic to capture the audio and send it to the C2.

In my case this problem always happened because I had a condition in the command received in my config file. Configurations were received every 15 minutes and the recording period he was set at 1 minute. During my analysis, my device was constantly receiving commands to record microphone audio and send it to the C2. I stopped the malware after it happened 3-4 times.

Malware infiltration of apps available on Google servers is nothing new. Google has not commented on the discovery of malware on its platform, other than to thank the external researchers who found it and to say it will remove the malware as soon as it becomes aware of it. The company doesn’t explain why its researchers and automated scanning processes miss malicious apps discovered by outsiders. Google is also reluctant to proactively notify Play users if they learn they have been infected with an app advertised and made available on their service.

What’s even more unusual in this case is that we’ve found a malicious app actively recording such a wide range of victims and sending the audio to the attackers. Stefanko said it’s possible that iRecord is part of an active espionage campaign, but it’s too early to tell if that’s the case.

Unfortunately, there is no evidence that the app was pushed to a specific group of people, and from the description of the app and further investigation (potential distribution vectors of the app), it is clear whether a specific group of people was targeted. not, he writes. . It seems highly unusual, but there is no evidence to say otherwise.

RATs provide attackers with covert backdoors into infected platforms, allowing them to install or uninstall apps, steal contacts, messages and user data, and monitor devices in real time. AhRat is not the first Android RAT to use AhMyth’s open source code. In 2019, Stefanko reported finding a RAT with AhMyth implemented on Radio Baloosh, a fully working streaming radio app for Baloch music lovers from southeastern Iran. The app’s install base was significantly smaller at just over 100 of his Google Play users.

A prolific threat group, active since at least 2013, also used AhMyth to backdoor Android apps targeting Indian military and government officials. Group-tracked by researchers under the names Transparent Tribe, APT36, Mythic Leopard, ProjectM, and Operation C-Majorever, there is no indication that the app spread through Google Play, and the infection vector remains unknown.

