After being installed, the malicious program acted in the same manner as a conventional app and did not seek any unusual or additional permissions, which would have been a potential indicator of its harmful purpose.įollowing receipt of information from ESET, the security team at Google Play swiftly deleted the iRecorder – Screen Recorder app from its official store. Notably, the malicious program had the capability to capture videos, therefore it was to be anticipated that it would inquire about obtaining permission to record audio and save it to the device. Additionally, access is granted to the camera’s recording capabilities. These features looked to fit inside the previously stated app permissions model, which allows access to the files stored on the device and authorizes the recording of audio. However, in both versions of the AhMyth RAT that were examined here, they found just a small subset of the dangerous characteristics that were included in the original AhMyth RAT. These capabilities include acquiring a list of files on the device, determining the position of the device, exfiltrating call logs, contacts, and text messages, obtaining a list of files on the device, and sending SMS messages, recording audio, and capturing photographs. iRecorder is the only app that has been found to have this particular piece of modified code.ĪhMyth RAT is a powerful tool that is capable of performing a variety of harmful operations. The AhMyth code that it included had been modified, and this included the connection between the C&C server and the backdoor as well as the malware itself. The second malicious version, which they have given the name AhRat, was also accessible on Google Play. The first version of iRecorder that was malicious had bits of AhMyth RAT’s malicious code that had been copied without any adjustments being made. This was the case even if they did not grant any further app permission approval.ĭuring the course of the investigation, they came across two distinct variants of malicious malware that were based on AhMyth RAT. However, Android users who had installed an earlier version of iRecorder (prior to version 1.3.8), which did not contain any malicious features, would have unknowingly exposed their devices to AhRat if they subsequently updated the app either manually or automatically, even if they did not grant any further app permission approval. It is probable that the harmful code was included when the program was upgraded to version 1.3.8 in August 2022, which was made accessible to users. The remote access tool (RAT), given the name AhRat by the researchers at ESET, has the capability to exfiltrate files that have certain extensions as well as microphone recordings and upload them to the command and control (C2) server of the attacker. However, the most current investigation carried out by ESET has uncovered the existence of a harmful code inside the app’s most recent update, which was released as version 1.3.8 in August 2022. IRecorder – Screen Recorder gave off the impression that it was a risk-free app for capturing screen activity when it was first released in September 2021 and boasted over 50,000 installations.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |