Earn their trust, then attack.
ESET researchers discovered a perfectly safe Android app that had been available on the Google Play store with over 50,000 installs that only went bad in version 1.3.8. This approach could work with any software.
In this case the iRecorder app was working perfectly for an entire year before the clean version was updated with malicious spyware code.
Apparently it’s very rare for a developer to upload a legitimate app, operate perfectly for almost a year, and then provide an update with malicious code. In this case, the code added was a customized version of the open-source AhMyth Android RAT that researchers have named AhRat.
From the research:
“Aside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control (C&C) server. It can also exfiltrate files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device. The app’s specific malicious behavior – exfiltrating microphone recordings and stealing files with specific extensions – tends to suggest that it is part of an espionage campaign.”
Ted Miracco, CEO, Approov Mobile Security had this to say:
“The AhMyth Android RAT (Remote Access Trojan) specifically targets Android devices, and allows attackers to spy on victims and collect sensitive information such as call logs, text messages, GPS location, contacts, record audio and take screenshots. Cases like this where a ‘legitimate’ app developer inserts malware is not as uncommon as you may think, especially with “free” utilities where the user’s data is essentially the product deliverable. Even reputable mobile security apps tend to make a land grab when it comes to requesting permissions on devices for information that is certainly unnecessary for the proper functioning of the mobile app.
“While more and more Android devices are supporting a feature called “Play Protect” (formerly “SafetyNet”) that can make sure apps are free of potential malware, in this case it would prove absolutely ineffective as the malware was added by the developer that is setting up the attestation criteria. In cases like these end-users need to be vigilant in making sure the permissions are commensurate with the requirements of the app and be cautious of apps from unofficial app stores. It is also important to avoid rooting (Android) or jailbreaking (iOS) devices as these processes will further weaken the device’s security and make it more vulnerable to malware attacks.”
Roy Akerman, Co-Founder & CEO, Rezonate followed up with this:
“In many cases, a legitimate action may turn out to be of malicious intent. In this case a mobile application was delivering on its promise but easily turned malicious after trust was achieved. The same could be said of rogue employees, once they gain systems access, and could apply to most any software whether on mobile or desktop.
“Being stealthy can be accomplished by hiding below detection radars with a low and slow attacks, hidden with a benign traffic, or the exact opposite and fully open as a legitimate application. This is why continuous monitoring and behavioral pattern monitoring of usage and code is mandatory to defend against this risk.”
This reinforces the fact that downloading apps is sometimes a risky business. Thus I would recommend that both individuals and companies take steps to make sure that they are not a victim of this attack vector. For individuals, that can mean practising safe computing habits. For businesses it can mean restricting what one can or cannot download onto devices. Those at the very least would limit the exposure to this.
Like this:
Like Loading...
Related
This entry was posted on May 23, 2023 at 3:59 pm and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
ESET Researchers Discover A Novel Attack Vector Involving Play Store Apps That Start Out Good And Then Go Bad
Earn their trust, then attack.
ESET researchers discovered a perfectly safe Android app that had been available on the Google Play store with over 50,000 installs that only went bad in version 1.3.8. This approach could work with any software.
In this case the iRecorder app was working perfectly for an entire year before the clean version was updated with malicious spyware code.
Apparently it’s very rare for a developer to upload a legitimate app, operate perfectly for almost a year, and then provide an update with malicious code. In this case, the code added was a customized version of the open-source AhMyth Android RAT that researchers have named AhRat.
From the research:
“Aside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control (C&C) server. It can also exfiltrate files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device. The app’s specific malicious behavior – exfiltrating microphone recordings and stealing files with specific extensions – tends to suggest that it is part of an espionage campaign.”
Ted Miracco, CEO, Approov Mobile Security had this to say:
“The AhMyth Android RAT (Remote Access Trojan) specifically targets Android devices, and allows attackers to spy on victims and collect sensitive information such as call logs, text messages, GPS location, contacts, record audio and take screenshots. Cases like this where a ‘legitimate’ app developer inserts malware is not as uncommon as you may think, especially with “free” utilities where the user’s data is essentially the product deliverable. Even reputable mobile security apps tend to make a land grab when it comes to requesting permissions on devices for information that is certainly unnecessary for the proper functioning of the mobile app.
“While more and more Android devices are supporting a feature called “Play Protect” (formerly “SafetyNet”) that can make sure apps are free of potential malware, in this case it would prove absolutely ineffective as the malware was added by the developer that is setting up the attestation criteria. In cases like these end-users need to be vigilant in making sure the permissions are commensurate with the requirements of the app and be cautious of apps from unofficial app stores. It is also important to avoid rooting (Android) or jailbreaking (iOS) devices as these processes will further weaken the device’s security and make it more vulnerable to malware attacks.”
Roy Akerman, Co-Founder & CEO, Rezonate followed up with this:
“In many cases, a legitimate action may turn out to be of malicious intent. In this case a mobile application was delivering on its promise but easily turned malicious after trust was achieved. The same could be said of rogue employees, once they gain systems access, and could apply to most any software whether on mobile or desktop.
“Being stealthy can be accomplished by hiding below detection radars with a low and slow attacks, hidden with a benign traffic, or the exact opposite and fully open as a legitimate application. This is why continuous monitoring and behavioral pattern monitoring of usage and code is mandatory to defend against this risk.”
This reinforces the fact that downloading apps is sometimes a risky business. Thus I would recommend that both individuals and companies take steps to make sure that they are not a victim of this attack vector. For individuals, that can mean practising safe computing habits. For businesses it can mean restricting what one can or cannot download onto devices. Those at the very least would limit the exposure to this.
Share this:
Like this:
Related
This entry was posted on May 23, 2023 at 3:59 pm and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.