This kind of malware has a sordid history.
Secret Surveillance
An Android app that was supposed to be used to do display recordings has been caught secretly recording audio and sending it somewhere shady — but the story behind the debacle goes even deeper.
As the WeLiveSecurity blog stories, the app named “iRecorder – Screen Recorder” had more than 50,000 installs from the Google Play store after its fall 2021 launch and, by all indications, was a standard, benign app.
At some level, nevertheless, the app was “trojanized” with malicious software program during a subsequent replace, based on the safety software agency ESET, which owns WeLiveSecurity.
“Initially, the iRecorder app did not have any dangerous features,” the blog post reads. “What is sort of unusual is that the appliance obtained an update containing malicious code quite a couple of months after its launch.”
And reader, it gets weirder: “The application’s particular malicious behavior, which includes extracting microphone recordings and stealing files with particular extensions, doubtlessly signifies its involvement in an espionage marketing campaign.”
Ah, Rats!
This unusual debacle, ESET notes, entails a kind of “remote entry trojan” — or RAT, evocatively — malware known as AhMyth, which has previously plagued the Google Play store on a couple of event. As the RAT moniker suggests, this sort of malware is used to remotely access victims’ cellphone information and send it to outside developers to do whatever nefarious issues they want with the info or to the infected devices.
WeLiveSecurity has named the newest AhMyth version “AhRat,” and said that besides the iRecorder app — which has now been pulled from Google Play — its researchers haven’t detected the malware “anywhere else within the wild.”
While it is unclear who or what was controlling this latest version of AhMyth, the blog did note that previous generations had been used for some pretty freaky stuff.
“Previously, the open-source AhMyth was employed by Transparent Tribe, also referred to as APT36, a cyberespionage group known for its in depth use of social engineering methods and targeting authorities and military organizations in South Asia,” WeLiveSecurity explains, although the weblog admits that it would not know who’s behind this assault and has no proof that it is linked with any “known superior persistent risk.”
As frequent as malware has turn out to be, the historical past of AhMyth and the possibility that this version might have been used for clandestine ends supplies a stark reminder of how harmful this type of thing actually is — and, if nothing else, ought to encourage everybody to train warning even on official app stores.
More on dangerous actors: Scammer Tricks Man With Face and Voice Swap of His Friend, Cops Say
