Earn their trust, then attack.
ESET researchers discovered a perfectly safe Android app that had been available on the Google Play store with over 50,000 installs that only went bad in version 1.3.8. This approach could work with any software.
In this case the iRecorder app was working perfectly for an entire year before the clean version was updated with malicious spyware code.
Apparently it’s very rare for a developer to upload a legitimate app, operate perfectly for almost a year, and then provide an update with malicious code. In this case, the code added was a customized version of the open-source AhMyth Android RAT that researchers have named AhRat.
From the research:
“Aside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control (C&C) server. It can also exfiltrate files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device. The app’s specific malicious behavior – exfiltrating microphone recordings and stealing files with specific extensions – tends to suggest that it is part of an espionage campaign.”
Ted Miracco, CEO, Approov Mobile Security had this to say:
“The AhMyth Android RAT (Remote Access Trojan) specifically targets Android devices, and allows attackers to spy on victims and collect sensitive information such as call logs, text messages, GPS location, contacts, record audio and take screenshots. Cases like this where a ‘legitimate’ app developer inserts malware is not as uncommon as you may think, especially with “free” utilities where the user’s data is essentially the product deliverable. Even reputable mobile security apps tend to make a land grab when it comes to requesting permissions on devices for information that is certainly unnecessary for the proper functioning of the mobile app.
“While more and more Android devices are supporting a feature called “Play Protect” (formerly “SafetyNet”) that can make sure apps are free of potential malware, in this case it would prove absolutely ineffective as the malware was added by the developer that is setting up the attestation criteria. In cases like these end-users need to be vigilant in making sure the permissions are commensurate with the requirements of the app and be cautious of apps from unofficial app stores. It is also important to avoid rooting (Android) or jailbreaking (iOS) devices as these processes will further weaken the device’s security and make it more vulnerable to malware attacks.”
Roy Akerman, Co-Founder & CEO, Rezonate followed up with this:
“In many cases, a legitimate action may turn out to be of malicious intent. In this case a mobile application was delivering on its promise but easily turned malicious after trust was achieved. The same could be said of rogue employees, once they gain systems access, and could apply to most any software whether on mobile or desktop.
“Being stealthy can be accomplished by hiding below detection radars with a low and slow attacks, hidden with a benign traffic, or the exact opposite and fully open as a legitimate application. This is why continuous monitoring and behavioral pattern monitoring of usage and code is mandatory to defend against this risk.”
This reinforces the fact that downloading apps is sometimes a risky business. Thus I would recommend that both individuals and companies take steps to make sure that they are not a victim of this attack vector. For individuals, that can mean practising safe computing habits. For businesses it can mean restricting what one can or cannot download onto devices. Those at the very least would limit the exposure to this.
1 In 5 Canadian Shoppers Fall Victim To Payments Fraud Losing An Average Of $264.90 Each: Adyen
Posted in Commentary with tags Adyen on May 23, 2023 by itnerdGlobal research commissioned by Adyen, the global financial technology platform of choice for leading businesses, has found that over one in five (21%) people in Canada have been victims of payments fraud. On average, the victims were defrauded $264.90 each.
With fraud on the rise, consumers are responding – 59% believe that the risk of fraud is making shopping online a less attractive proposition, while 73% want retailers to better communicate the efforts they take to protect consumers from fraud.
More than a third of retailers (23%) admit that fraudsters have targeted their business by establishing a replica website to intimidate their brand and trick their customers and 30% said that fraud attempts have increased in the past year. Worryingly, only 55% of retailers believe their fraud prevention systems are effective.
As inflation and the cost of living soaring for consumers, and making things even more difficult for retailers, neither can afford to fall for scammers’ traps. The poll of 2,000 consumers and 500 retailers in Canada explores the extent in which payments fraud is impacting consumers and businesses.
Additional highlights from the research include:
You can download the full report here.
Leave a comment »