This kind of malware has a sordid history.
An Android app that was supposed to be used to do screen recordings has been caught secretly recording audio and sending it somewhere shady — but the story behind the debacle goes even deeper.
As the WeLiveSecurity blog reports, the app named “iRecorder – Screen Recorder” had more than 50,000 installs from the Google Play store after its fall 2021 launch and, by all indications, was a normal, benign app.
At some point, however, the app was “trojanized” with malicious software during a subsequent update, according to the security software firm ESET, which owns WeLiveSecurity.
“Initially, the iRecorder app did not have any harmful features,” the blog post reads. “What is quite uncommon is that the application received an update containing malicious code quite a few months after its launch.”
And reader, it gets weirder: “The application’s specific malicious behavior, which involves extracting microphone recordings and stealing files with specific extensions, potentially indicates its involvement in an espionage campaign.”
This strange debacle, ESET notes, involves a type of “remote access trojan” — or RAT, evocatively — malware known as AhMyth, which has previously plagued the Google Play store on more than one occasion. As the RAT moniker suggests, this kind of malware is used to remotely access victims’ phone data and send it to outside developers to do whatever nefarious things they want with the data or to the infected devices.
WeLiveSecurity has named the latest AhMyth version “AhRat,” and said that besides the iRecorder app — which has now been pulled from Google Play — its researchers haven’t detected the malware “anywhere else in the wild.”
While it’s unclear who or what was controlling this latest version of AhMyth, the blog did note that past generations had been used for some pretty freaky stuff.
“Previously, the open-source AhMyth was employed by Transparent Tribe, also known as APT36, a cyberespionage group known for its extensive use of social engineering techniques and targeting government and military organizations in South Asia,” WeLiveSecurity explains, though the blog admits that it doesn’t know who is behind this attack and has no evidence that it’s connected with any “known advanced persistent threat.”
As common as malware has become, the history of AhMyth and the possibility that this version could have been used for clandestine ends provides a stark reminder of how dangerous this sort of thing really is — and, if nothing else, should encourage everyone to exercise caution even on official app stores.
More on bad actors: Scammer Tricks Man With Face and Voice Swap of His Friend, Cops Say