Reuters reports: Hackers have stolen data from the systems of a number of users of the popular file transfer tool MOVEit Transfer, U.S. security researchers said on Thursday, one day after the maker of the software disclosed that a security flaw had been discovered. Software maker Progress Software Corp, after disclosing the vulnerability on Wednesday, said it could lead to potential unauthorized access into users' systems.

The managed file transfer software made by the Burlington, Massachusetts-based company allows organizations to transfer files and data between business partners and customers. It was not immediately clear which or how many organizations use the software or were impacted by potential breaches. Chief Information Officer Ian Pitt declined to share those details, but said Progress Software had made fixes available since it discovered the vulnerability late on May 28...

Cybersecurity firm Rapid7 Inc and Mandiant Consulting — owned by Alphabet Inc's Google — said they had found a number of cases in which the flaw had been exploited to steal data. "Mass exploitation and broad data theft has occurred over the past few days," Charles Carmakal, chief technology officer of Mandiant Consulting, said in a statement... "Although Mandiant does not yet know the motivation of the threat actor, organizations should prepare for potential extortion and publication of the stolen data," Carmakal said.
Thanks to long-time Slashdot reader rexx mainframe for sharing the story.

"Amazon employees staged a walkout Wednesday," reports CNBC, "in protest of the company's recent return-to-office mandate, layoffs and its environmental record." Approximately 2,000 employees worldwide walked off the job shortly after 3 p.m. EST, with about 1,000 of those workers gathering outside the Spheres, the massive glass domes that anchor Amazon's Seattle headquarters, according to employee groups behind the effort. Amazon disputed the figure and said about 300 employees participated.

The walkout was organized in part by Amazon Employees for Climate Justice, an influential worker organization that has repeatedly pressed the e-retailer on its climate stance... One employee spoke about how remote work had allowed her to spend more time with her family, while coworkers told her it enabled them to care for newborn children and relatives with special needs. "Today looks like it might be the start of a new chapter in Amazon's history, when tech workers coming out of the pandemic stood up and said we still want a say in this company and the direction of this company," said Eliza Pan, a cofounder of AECJ and a former program manager at Amazon. "We still want a say in the important decisions that affect all of our lives, and tech workers are going to stand up for ourselves, for each other, for our families, the communities where Amazon operates and for life on planet Earth...."

Amazon spokesperson Brad Glasser said in a statement that the company has so far been pleased with the results of its return-to-office push. "There's more energy, collaboration, and connections happening, and we've heard this from lots of employees and the businesses that surround our offices," Glasser added. "

Shadow has decided to cut the price of its cloud storage service Shadow Drive. Users can now get 2TB of storage for $5.3 per month instead of $9.6 per month. From a report: As for the free tier, things aren't changing. Users who sign up get 20GB of online storage for free. Shadow is also the company behind Shadow PC, a cloud computing service that lets you rent a virtual instance of a Windows PC in a data center near you. It works particularly well to play demanding PC games on any device, such as a cheap laptop, a connected TV or a smartphone. Coming back to Shadow Drive, as the name suggests, Shadow Drive works a lot like Google Drive, OneDrive, iCloud Drive or Dropbox. Users can upload and download files from a web browser. They are stored in a data center based in France so that you can access them later.

Speaking of Brave, the browser-maker is introducing vertical tabs. From a blog post: With today's 1.52 desktop release, the vertical tabs setting is available to Brave users on Windows, macOS, and Linux. Enabling the vertical tabs setting relocates your open tabs from the top of your browser window (i.e. above the address bar) to the left side of the window, where they'll appear stacked vertically rather than horizontally. To do so, right-click an existing horizontal tab and select "use vertical tabs" from the menu. With open tabs arranged vertically, you'll be able to scroll through them as needed. To open a new tab, simply click the button to create a new tab at the bottom of the vertical tabs sidebar.

Russian cybersecurity firm Kaspersky says some iPhones on its network were hacked using an iOS vulnerability that installed malware via iMessage zero-click exploits. From a report: The delivery of the message exploits a vulnerability that leads to code execution without requiring any user interaction, leading to the download of additional malicious from the attackers' server. Subsequently, the message and attachment are wiped from the device. At the same time, the payload stays behind, running with root privileges to collect system and user information and execute commands sent by the attackers.

Kaspersky says the campaign started in 2019 and reports the attacks are still ongoing. The cybersecurity firm has named the campaign "Operation Triangulation" and is inviting anyone who knows more about it to share information. [...] In a statement coinciding with Kaspersky's report, Russia's FSB intelligence and security agency claims that Apple deliberately provided the NSA with a backdoor it can use to infect iPhones in the country with spyware. The FSB alleges that it has discovered malware infections on thousands of Apple iPhones belonging to officials within the Russian government and staff from the embassies of Israel, China, and several NATO member nations in Russia. Despite the seriousness of the allegations, the FSB has provided no proof of its claims.

The National Eating Disorder Association (Neda) has taken down an artificial intelligence chatbot, "Tessa," after reports that the chatbot was providing harmful advice. From a report: Neda has been under criticism over the last few months after it fired four employees in March who worked for its helpline and had formed a union. The helpline allowed people to call, text or message volunteers who offered support and resources to those concerned about an eating disorder. Members of the union, Helpline Associates United, say they were fired days after their union election was certified. The union has filed unfair labor practice charges with the National Labor Relations Board.

Tessa, which Neda claims was never meant to replace the helpline workers, almost immediately ran into problems. On Monday, activist Sharon Maxwell posted on Instagram that Tessa offered her "healthy eating tips" and advice on how to lose weight. The chatbot recommended a calorie deficit of 500 to 1,000 calories a day and weekly weighing and measuring to keep track of weight. "If I had accessed this chatbot when I was in the throes of my eating disorder, I would NOT have gotten help for my ED. If I had not gotten help, I would not still be alive today," Maxwell wrote. "It is beyond time for Neda to step aside."

An anonymous reader quotes a report from TechCrunch: An apparent ransomware attack on one of America's largest dental health insurers has compromised the personal information of almost nine million individuals in the United States. The Atlanta-based Managed Care of North America (MCNA) Dental claims to be the largest dental insurer in the nation for government-sponsored plans covering children and seniors. In a notice posted on Friday, the company said it became aware of "certain activity in our computer system that happened without our permission" on March 6 and later learned that a hacker "was able to see and take copies of some information in our computer system" between February 26 and March 7, 2023.

The information stolen includes a trove of patients' personal data, including names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, and driver's licenses or other government-issued ID numbers. Hackers also accessed patients' health insurance data, including plan information and Medicaid ID numbers, along with bill and insurance claim information. In some cases, some of this data pertained to a patient's "parent, guardian, or guarantor," according to MCNA Dental, suggesting that children's personal data was accessed during the breach. According to a data breach notification filed with Maine's attorney general, the hack affected more than 8.9 million clients of MCNA Dental. That makes this incident the largest breach of health information of 2023 so far, after the PharMerica breach that saw hackers access the personal data of almost 6 million patients. The LockBit ransomware group took responsibility for the cyberattack and published 700GB of files after the company refused to pay a $10 million ransom demand.

Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs -- a feature ripe for abuse, researchers say. From a report: Hiding malicious programs in a computer's UEFI firmware, the deep-seated code that tells a PC how to load its operating system, has become an insidious trick in the toolkit of stealthy hackers. But when a motherboard manufacturer installs its own hidden backdoor in the firmware of millions of computers -- and doesn't even put a proper lock on that hidden back entrance -- they're practically doing hackers' work for them. Researchers at firmware-focused cybersecurity company Eclypsium revealed today that they've discovered a hidden mechanism in the firmware of motherboards sold by the Taiwanese manufacturer Gigabyte, whose components are commonly used in gaming PCs and other high-performance computers. Whenever a computer with the affected Gigabyte motherboard restarts, Eclypsium found, code within the motherboard's firmware invisibly initiates an updater program that runs on the computer and in turn downloads and executes another piece of software.

While Eclypsium says the hidden code is meant to be an innocuous tool to keep the motherboard's firmware updated, researchers found that it's implemented insecurely, potentially allowing the mechanism to be hijacked and used to install malware instead of Gigabyte's intended program. And because the updater program is triggered from the computer's firmware, outside its operating system, it's tough for users to remove or even discover. "If you have one of these machines, you have to worry about the fact that it's basically grabbing something from the internet and running it without you being involved, and hasn't done any of this securely," says John Loucaides, who leads strategy and research at Eclypsium. "The concept of going underneath the end user and taking over their machine doesn't sit well with most people."

Rest now, little Chromecast. Google has announced the decade-old Chromecast 1 is finally hitting end of life. From a report: A message on Google's Chromecast firmware support page announced the wind-down of support, saying, "Support for Chromecast (1st gen) has ended, which means these devices no longer receive software or security updates, and Google does not provide technical support for them. Users may notice a degradation in performance." The 1st-gen Chromecast launched in 2013 for $35.

The original Chromecast was wildly successful and sold 10 million units in 2014 alone. For years, the device was mentioned in Google earnings calls as the highlight of the company's hardware efforts, and it was essentially the company's first successful piece of hardware. The Chromecast made it easy to beam Internet videos to your TV at a time when that was otherwise pretty complicated.

A database containing the details of almost half-a-million RaidForums users has leaked online, a year after the U.S. Department of Justice seized the notorious cybercrime forum. From a report: The leaked database was posted on Exposed, described by security researchers as an up-and-coming forum "wanting to fill the void" left by the recent BreachForums shutdown. An Exposed admin, known as "Impotent," posted the alleged RaidForums user data, which includes the details of 478,000 users, including their usernames, email addresses, hashed passwords and registration dates. "All of the users that were on raidforums may have been infected," the admin's post says. RaidForums had around 550,000 users at the time of its shutdown last year. The admin added that some users' details have been removed from the leak, though it's unclear how many or the reasoning behind this.

ASUS is extending its connector-less design to graphics cards and has showcased the first GPU, a GeForce RTX 40 design, which features now power plugs. From a report: Spotted during our tour at the ASUS HQ, the ROG team gave us a first look at an upcoming graphics card (currently still in the concept phase) which is part of its GeForce RTX 40 family. The graphics card itself was a GeForce RTX 4070 design but it doesn't fall under any existing VGA product lineup & comes in an interesting design.

So the graphics card itself is a 2.3 slot design that features a triple axial-tech cooling fan system and once again, it isn't part of any interesting GPU lineup from ASUS such as ROG STRIX, TUF Gaming, Dual, etc. The backside of the card features an extended backplate that extends beyond the PCB & there's a cut-out for the air to pass through. The card also comes with a dual-BIOS switch that lets you switch between the "Performance" & "Quiet" modes but while there's a "Megalodon" naming on the backplate, we were told that isn't the final branding for this card.

Ars Technica profiles Scott Shapiro, the co-author of a new book, Fancy Bear Goes Phishing: The Dark History of the Information Age in Five Extraordinary Hacks.

Shapiro points out that computer science "is only a century old, and hacking, or cybersecurity, is maybe a few decades old. It's a very young field, and part of the problem is that people haven't thought it through from first principles." Telling in-depth the story of five major breaches, Shapiro ultimately concludes that "the very principles that make hacking possible are the ones that make general computing possible.

"So you can't get rid of one without the other because you cannot patch metacode." Shapiro also brings some penetrating insight into why the Internet remains so insecure decades after its invention, as well as how and why hackers do what they do. And his conclusion about what can be done about it might prove a bit controversial: there is no permanent solution to the cybersecurity problem. "Cybersecurity is not a primarily technological problem that requires a primarily engineering solution," Shapiro writes. "It is a human problem that requires an understanding of human behavior." That's his mantra throughout the book: "Hacking is about humans." And it portends, for Shapiro, "the death of 'solutionism.'"
An excerpt from their interview: Ars Technica: The scientific community in various disciplines has struggled with this in the past. There's an attitude of, "We're just doing the research. It's just a tool. It's morally neutral." Hacking might be a prime example of a subject that you cannot teach outside the broader context of morality.

Scott Shapiro: I couldn't agree more. I'm a philosopher, so my day job is teaching that. But it's a problem throughout all of STEM: this idea that tools are morally neutral and you're just making them and it's up to the end user to use it in the right way. That is a reasonable attitude to have if you live in a culture that is doing the work of explaining why these tools ought to be used in one way rather than another. But when we have a culture that doesn't do that, then it becomes a very morally problematic activity.

CNN reports: Some Amazon corporate workers have announced plans to walk off the job next week over frustrations with the company's return-to-work policies, among other issues, in a sign of heightened tensions inside the e-commerce giant after multiple rounds of layoffs.

The work stoppage is being jointly organized by an internal climate justice worker group and a remote work advocacy group, according to an email from organizers and public social media posts. Workers participating have two main demands: asking the e-commerce giant to put climate impact at the forefront of its decision making, and to provide greater flexibility for how and where employees work.

The lunchtime walkout is scheduled for May 31, beginning at noon. Organizers have said in an internal pledge that they are only going to go through with the walkout if at least 1,000 workers agree to participate, according to an email from organizers.
The event comes a month after Amazon's return-to-office mandate took effect, reports the Seattle Times — with one software engineer saying they wanted to show Amazon's leadership that "employees need a say in the decisions that affect our lives." In response, an Amazon spokesperson said, "We respect our employees' rights to express their opinions." Drew Herdener, senior vice president for communications at Amazon, said there has been a good energy on the company's South Lake Union campus and other urban centers where Amazon has a significant presence. "We've had a great few weeks with more employees in the office," he said. "As it pertains to the specific topics this group of employees is raising, we've explained our thinking in different forums over the past few months and will continue to do so...."

[Since January], Amazon announced another 9,000 job cuts companywide, but has not notified Washington's unemployment office of the local impact. At the same time Amazon was re-evaluating its teams and workforce, the company announced it would require workers to return to the office at least three times a week beginning May 1. That was a change from Amazon's prior policy, put in place in the second half of 2021, that allowed leaders to decide for their teams where they should work. Announcing the mandate in February, CEO Andy Jassy told employees that senior leaders had observed that it's easier to "learn, model, practice and strengthen our culture when we're in the office together most of the time and surrounded by our colleagues." Boosters for downtown Seattle, where Amazon's headquarters campus is located, cheered the mandate and hoped that thousands of returning workers would enliven the neighborhood.

In response to the return-to-office mandate, more than 20,000 workers signed a petition urging Amazon to reconsider.

"They bring luxury workspaces, fancy coffee shops... and rising rents," reports Rest of World.org, visiting a coworking space with 70 people in its cafe and 100 more in its second-floor coworking area, that "looks as if it were picked up in Silicon Valley and dropped into Colombia by a crane... Coders and digital marketers crowd the tables, drinking pour-over coffee and enjoying loaded avocado toast. Downstairs, in the coffee shop, a stylish woman with a ring light on her laptop chats with a client thousands of kilometers away. Upstairs, in the dedicated office space, an American wearing an Oculus Rift headset attends a meeting in the metaverse. Most of the workers here are employed in the U.S., but relaxed post-pandemic office norms permit them to work from anywhere. This is the mobile, location-independent lifestyle of the digital nomad...

[The Colombian city] Medellín is one of the latest hot spots to join a global nomad circuit that spans tropical latitudes. Southeast Asia remains the preferred destination for nomads — on popular website Nomad List, four of the top 10 cities are from the region. The list also features less-expensive European cities in Portugal and Romania, as well as Latin American destinations like Mexico City, which share time zones with the U.S. The typical nomad might visit 12 or 13 countries in a year, all the while holding down a corporate job, usually in the tech sector...

But the income differential between the nomads and the Colombian professional class is immense. The result is runaway price inflation — rents in Laureles have skyrocketed, and restaurants cannot raise their prices fast enough. A one-bedroom in Medellín now rents for the "gringo price" of about $1,300 a month, in a country where the median monthly income is $300.
A digital nomad community "can distort the local economy," the article points out

• In Mexico city this November, people "took to the streets...to protest gentrification and rising rents."
• Portugal "curtailed licenses for Airbnbs in an attempt to calm rising housing costs."

Right now the top six four cities are Buenos Aires, Bangkok, Mexico City, and Canggu (in Bali), according to the article.

Bitwarden, the popular open-source password management program, has launched Bitwarden Passwordless.dev, a developer toolkit for integrating FIDO2 WebAuthn-based passkeys into websites and applications. The New Stack reports: Bitwarden Passwordless.dev uses an easy-to-use application programming interface (API) to provide a simplified approach to implementing passkey-based authentication with your existing code. This enables developers to create seamless authentication experiences swiftly and efficiently. For example, you can use it to integrate with FIDO2 WebAuthn applications such as Face ID, fingerprint, and Windows Hello. Enterprises also face challenges in integrating passkey-based authentication into their existing applications. Another way Bitwarden Passwordless.dev addresses this issue is by including an admin console. This enables programmers to configure applications, manage user attributes, monitor passkey usage, deploy code, and get started instantly.

"Passwordless authentication is rapidly gaining popularity due to its enhanced security and streamlined user login experience," said Michael Crandell, CEO of Bitwarden. "Bitwarden equips developers with the necessary tools and flexibility to implement passkey-based authentication swiftly and effortlessly, thereby improving user experiences while maintaining optimal security levels."

Researchers from Cisco's Talos security team have uncovered detailed information about Predator, a sophisticated spyware sold to governments worldwide, which can secretly record voice calls, collect data from apps like Signal and WhatsApp, and hide or disable apps on mobile devices. Ars Technica reports: An analysis Talos published on Thursday provides the most detailed look yet at Predator, a piece of advanced spyware that can be used against Android and iOS mobile devices. Predator is developed by Cytrox, a company that Citizen Lab has said is part of an alliance called Intellexa, "a marketing label for a range of mercenary surveillance vendors that emerged in 2019." Other companies belonging to the consortium include Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., and Senpai. Last year, researchers with Google's Threat Analysis Group, which tracks cyberattacks carried out or funded by nation-states, reported that Predator had bundled five separate zero-day exploits in a single package and sold it to various government-backed actors. These buyers went on to use the package in three distinct campaigns. The researchers said Predator worked closely with a component known as Alien, which "lives inside multiple privileged processes and receives commands from Predator." The commands included recording audio, adding digital certificates, and hiding apps. [...]

According to Talos, the backbone of the malware consists of Predator and Alien. Contrary to previous understandings, Alien is more than a mere loader of Predator. Rather, it actively implements the low-level capabilities that Predator needs to surveil its victims. "New analysis from Talos uncovered the inner workings of PREDATOR and the mechanisms it uses to communicate with the other spyware component deployed along with it known as 'ALIEN,'" Thursday's post stated. "Both components work together to bypass traditional security features on the Android operating system. Our findings reveal the extent of the interweaving of capabilities between PREDATOR and ALIEN, providing proof that ALIEN is much more than just a loader for PREDATOR as previously thought to be." In the sample Talos analyzed, Alien took hold of targeted devices by exploiting five vulnerabilities -- CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003, CVE-2021-1048 -- the first four of which affected Google Chrome, and the last Linux and Android. [...] The deep dive will likely help engineers build better defenses to detect the Predator spyware and prevent it from working as designed. Talos researchers were unable to obtain Predator versions developed for iOS devices.

Liam Proven, reporting for The Register: Over 21 years after it first came out, the Microsoft operating system that will not die is receiving another lease of life. It's possible to activate new installations, safely and securely, without a crack, off line. A blog post on tinyapps has revealed the hot news that nobody sane has been waiting for: the algorithm that Microsoft uses to validate Windows XP product keys has been cracked and reimplemented. As a result it's now possible to generate valid activation codes for Windows XP, without an internet connection, even though Microsoft has turned off all the activation servers.

This is not a recommendation But first, a word of caution and restraint. Please don't take this article as a recommendation to run Windows XP. It wasn't the most secure of operating systems back in 2001, and you really should not be running it in 2023 -- especially not on anything that is connected to the internet. However, saying that, the problem is that sometimes people need to. There is, for example, hardware out there that only works with Windows XP and won't work with anything newer... and some of it might be very expensive hardware, which is still perfectly functional -- but which requires a long-obsolete version of Windows to operate it. If you are lumbered with such a device, or you have got some single specific and very particular piece of software that you need to run and which doesn't work properly on any newer version of Windows, then you may be forced to use XP. If so, one of the problems is that Microsoft has turned off the activation servers, so even if you install clean fresh copy, you can no longer activate it over the Internet. (Allegedly, the telephone activation service still works, if that's an option for you.)

An anonymous reader quotes a report from Wired: Bcrypt turns 25 this year, and Niels Provos, one of its coinventors, says that looking back, the algorithm has always had good energy, thanks to its open source availability and the technical characteristics that have fueled its longevity. Provos spoke to WIRED about a retrospective on the algorithm that he published this week in Usenix ;login:. Like so many digital workhorses, though, there are now more robust and secure alternatives to bcrypt, including the hashing algorithms known as scrypt and Argon2. Provos himself says that the quarter-century milestone is plenty for bcrypt and that he hopes it will lose popularity before celebrating another major birthday.

A version of bcrypt first shipped with the open source operating system OpenBSD 2.1 in June 1997. At the time, the United States still imposed stringent export limits on cryptography. But Provos, who grew up in Germany, worked on its development while he was still living and studying there. "One thing I found so surprising was how popular it became," he says. "I think in part it's probably because it was actually solving a problem that was real, but also because it was open source and not encumbered by any export restrictions. And then everybody ended up doing their own implementations in all these other languages. So these days, if you are faced with wanting to do password hashing, bcrypt is going to be available in every language that you could possibly operate in. But the other thing that I find interesting is that it's even still relevant 25 years later. That is just crazy."

Provos developed bcrypt with David Mazieres, a systems security professor at Stanford University who was studying at the Massachusetts Institute of Technology when he and Provos collaborated on bcrypt. The two met through the open source community and were working on OpenBSD. [...] Password security is always lagging, though, and both Provos and Mazieres expressed disbelief and disappointment that the state of passwords broadly has not evolved in decades. Even new schemes like passkeys are only just beginning to emerge. "Bcrypt should have been superseded already," Provos says. "It's surprising how much reliance we still have on passwords. If you had asked me 25 years ago, I would not have guessed that."

An anonymous reader quotes a report from Ars Technica: Researchers have uncovered malware designed to disrupt electric power transmission and may have been used by the Russian government in training exercises for creating or responding to cyberattacks on electric grids. Known as CosmicEnergy, the malware has capabilities that are comparable to those found in malware known as Industroyer and Industroyer2, both of which have been widely attributed by researchers to Sandworm, the name of one of the Kremlin's most skilled and cutthroat hacking groups.

Researchers from Mandiant, the security firm that found CosmicEnergy, wrote: "COSMICENERGY is the latest example of specialized OT malware capable of causing cyber physical impacts, which are rarely discovered or disclosed. What makes COSMICENERGY unique is that based on our analysis, a contractor may have developed it as a red teaming tool for simulated power disruption exercises hosted by Rostelecom-Solar, a Russian cyber security company. Analysis into the malware and its functionality reveals that its capabilities are comparable to those employed in previous incidents and malware, such as INDUSTROYER and INDUSTROYER.V2, which were both malware variants deployed in the past to impact electricity transmission and distribution via IEC-104. The discovery of COSMICENERGY illustrates that the barriers to entry for developing offensive OT capabilities are lowering as actors leverage knowledge from prior attacks to develop new malware. Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe COSMICENERGY poses a plausible threat to affected electric grid assets. OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of COSMICENERGY."

Right now, the link is circumstantial and mainly limited to a comment found in the code suggesting it works with software designed for training exercises sponsored by the Kremlin. Consistent with the theory that CosmicEnergy is used in so-called Red Team exercises that simulate hostile hacks, the malware lacks the ability to burrow into a network to obtain environment information that would be necessary to execute an attack. The malware includes hardcoded information object addresses typically associated with power line switches or circuit breakers, but those mappings would have to be customized for a specific attack since they differ from manufacturer to manufacturer. "For this reason, the particular actions intended by the actor are unclear without further knowledge about the targeted assets," Mandiant researchers wrote.

An anonymous reader quotes a report from Ars Technica: An app that had more than 50,000 downloads from Google Play surreptitiously recorded nearby audio every 15 minutes and sent it to the app developer, a researcher from security firm ESET said. The app, titled iRecorder Screen Recorder, started life on Google Play in September 2021 as a benign app that allowed users to record the screens of their Android devices, ESET researcher Lukas Stefanko said in a post published on Tuesday. Eleven months later, the legitimate app was updated to add entirely new functionality. It included the ability to remotely turn on the device mic and record sound, connect to an attacker-controlled server, and upload the audio and other sensitive files that were stored on the device.

The secret espionage functions were implemented using code from AhMyth, an open source RAT (remote access Trojan) that has been incorporated into several other Android apps in recent years. Once the RAT was added to iRecorder, all users of the previously benign app received updates that allowed their phones to record nearby audio and send it to a developer-designated server through an encrypted channel. As time went on, code taken from AhMyth was heavily modified, an indication that the developer became more adept with the open source RAT. ESET named the newly modified RAT in iRecorder AhRat.

Stefanko installed the app repeatedly on devices in his lab, and each time, the result was the same: The app received an instruction to record one minute of audio and send it to the attacker's command-and-control server, also known colloquially in security circles as a C&C or C2. Going forward, the app would receive the same instruction every 15 minutes indefinitely. [...] Stefanko said it's possible that iRecord is part of an active espionage campaign, but so far, he has been unable to determine if that's the case. "Unfortunately, we don't have any evidence that the app was pushed to a particular group of people, and from the app description and further research (possible app distribution vector), it isn't clear if a specific group of people was targeted or not," he wrote. "It seems very unusual, but we don't have evidence to say otherwise."