By the time of this publication, we have not observed AhRat in any other Google Play app or elsewhere in the wild, iRecorder being the only app that has contained this customized code.ĪhMyth RAT is a potent tool, capable of various malicious functions, including exfiltrating call logs, contacts, and text messages, obtaining a list of files on the device, tracking the device location, sending SMS messages, recording audio, and taking pictures.
#Phone spy data extractor code
The second malicious version, which we named AhRat, was also available on Google Play, and its AhMyth code was customized, including the code and communication between the C&C server and the backdoor. The first malicious version of iRecorder contained parts of AhMyth RAT’s malicious code, copied without any modifications. Analysisĭuring our analysis, we identified two versions of malicious code based on AhMyth RAT. Nevertheless, we cannot ascribe the current samples to any specific group, and there are no indications that they were produced by a known advanced persistent threat (APT) group. Previously, the open-source AhMyth was employed by Transparent Tribe, also known as APT36, a cyberespionage group known for its extensive use of social engineering techniques and targeting government and military organizations in South Asia. The iRecorder developer also provides other applications on Google Play, but they don’t contain malicious code.
#Phone spy data extractor android
However, it is important to note that the app can also be found on alternative and unofficial Android markets. However, Android users who had installed an earlier version of iRecorder (prior to version 1.3.8), which lacked any malicious features, would have unknowingly exposed their devices to AhRat, if they subsequently updated the app either manually or automatically, even without granting any further app permission approval.įollowing our notification regarding iRecorder’s malicious behavior, the Google Play security team removed it from the store. As illustrated in Figure 1, by March 2023 the app had amassed over 50,000 installations. However, around August 2022 we detected that the app’s developer included malicious functionality in version 1.3.8.
The iRecorder application was initially released on the Google Play Store on September 19 th, 2021, offering screen recording functionality at that time, it contained no malicious features. Following our alert, the app was removed from the store.
However, we were not able to attribute the app to any particular malicious group.Īs a Google App Defense Alliance partner, ESET identified the most recent version of the application as malicious and promptly shared its findings with Google. The app’s specific malicious behavior – exfiltrating microphone recordings and stealing files with specific extensions – tends to suggest that it is part of an espionage campaign. It can also exfiltrate files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device. Overview of the appĪside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control (C&C) server. Back then, the spyware, built on the foundations of AhMyth, circumvented Google’s app-vetting process twice, as a malicious app providing radio streaming. However, this is not the first time that AhMyth-based Android malware has been available on Google Play we previously published our research on such a trojanized app in 2019. The malicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan) and has been customized into what we named AhRat.īesides this one case, we have not detected AhRat anywhere else in the wild.
#Phone spy data extractor update
It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code.
0 kommentar(er)
