Stefanko installed the app repeatedly on devices in his lab, and each time, the result was the same: The app received an instruction to record one minute of audio and send it to the attacker’s command-and-control server, also known colloquially in security circles as a C&C or C2. ![]() ESET named the newly modified RAT in iRecorder AhRat. As time went on, code taken from AhMyth was heavily modified, an indication that the developer became more adept with the open source RAT. ![]() Once the RAT was added to iRecorder, all users of the previously benign app received updates that allowed their phones to record nearby audio and send it to a developer-designated server through an encrypted channel. The secret espionage functions were implemented using code from AhMyth, an open source RAT (remote access Trojan) that has been incorporated into several other Android apps in recent years. It included the ability to remotely turn on the device mic and record sound, connect to an attacker-controlled server, and upload the audio and other sensitive files that were stored on the device. Eleven months later, the legitimate app was updated to add entirely new functionality. The app, titled iRecorder Screen Recorder, started life on Google Play in September 2021 as a benign app that allowed users to record the screens of their Android devices, ESET researcher Lukas Stefanko said in a post published on Tuesday. The campaign was still live at the time of writing.An app that had more than 50,000 downloads from Google Play surreptitiously recorded nearby audio every 15 minutes and sent it to the app developer, a researcher from security firm ESET said. It added that victims are likely to be military or political officials. The security vendor’s judgement is based on the fact that APT36 has previously used honey-trap romance scams to lure its victims. “After gaining the victims’ trust, they suggested moving to another – allegedly more secure – chat app that was available on one of the malicious distribution websites.” “Considering that only a handful individuals were compromised, we believe that potential victims were highly targeted and lured using romance schemes, with Transparent Tribe operators most likely establishing first contact via another messaging platform,” ESET explained. The campaign is narrowly targeted, and nothing suggests these apps were ever available on Google Play.”ĬapraRAT was disguised as two legitimate-looking applications: so-called secure Android chat apps ‘MeetsApp’ and ‘MeetUp,’ which were distributed via malicious websites hosted by APT36. ![]() “The backdoor can also receive commands to download files, make calls and send SMS messages. “The backdoor is capable of taking screenshots and photos, recording phone calls and surrounding audio, and exfiltrating any other sensitive information,” ESET said. It attributed the campaign to the Pakistan state-linked actor Transparent Tribe (APT36) due to the use of the CapraRAT backdoor and IP addresses spotted in previous campaigns from the group. ![]() Security researchers have uncovered a cyber-espionage campaign targeting mainly Indian and Pakistani victims with Android messaging apps containing backdoor malware.ĮSET said weak OpSec allowed it to locate over 150 victims, some of whom also resided in Russia, Oman and Egypt.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |