Malicious app detected on Google Play

ESET Corporation, a leader in the field of Information Security, announced the detection of a malicious Android extension with audio recording and file stealing functionality.

WeLiveSecurity.com reports.

The iRecorder – Screen Recorder app was initially uploaded to the Google Play as a legitimate app in September 2021, and the malicious functionality was probably added in August 2022. Over 50,000 users have downloaded and installed the app since its release.

The malicious functionality that was added to the secure version of iRecorder was created on the basis of the open source AhMyth remote access trojan and was called AhRat. This malware is capable of recording audio using the device's microphone and stealing files, which can be part of a spyware attack.

This is not the first time that AhMyth-based Android malware has been available in the official store. ESET previously detected such a malicious app in 2019. Back then, the spyware, built on the foundations of AhMyth, circumvented Google’s app-vetting process twice, as a malicious app providing radio streaming.

However, the iRecorder app can also be found on alternative and unofficial Android stores, and the developer also offers other apps on Google Play, but without malicious code.

"The AhRat research is an example of how an initially legitimate app can turn into a malicious one, spying on users and violating their privacy. Although it is possible that the app developer wanted to build a user base before infecting Android devices through updates. However, there is currently no evidence of this," explains Lukas Stefanko, an ESET researcher.

In addition to the legitimate screen recording function, the malicious iRecorder can record audio from the device's microphone and upload it to the attacker's command server. The threat can steal files with certain extensions from the device, such as saved web pages, images, audio, video, as well as documents and archives.

Android users who installed a previous version of iRecorder (up to version 1.3.8), which did not contain any malicious features, could unknowingly infect their devices with AhRat when updating the application manually or automatically, even without providing additional permissions.

"Measures to prevent such malicious actions have already been implemented in Android version 11 and later in the form of app Sleep mode. This feature actually puts applications that have been inactive for several months into a hibernation state, thereby resetting their runtime permissions and preventing malware from running," Lukas Stefanko said.

Earlier, The Gaze reported about the top 10 most autonomous mobile gadgets, including both expensive flagships and budget phones under 300 USD.