In a recent discovery, researchers from ESET have revealed that a popular Android screen recording app, iRecorder - Screen Recorder, has been found to spy on users and steal data.
Initially available on Google Play as a legitimate app in September 2021, it appears that the malicious functionality was added in August 2022.
Surprisingly, during its existence, the app managed to find its way onto more than 50,000 devices.
Malicious Code
The malicious code embedded in iRecorder, known as AhRat, is based on the open-source AhMyth Android RAT (remote access trojan) and has been reportedly customized for nefarious purposes, such as unauthorized audio recording and file theft, indicating a potential involvement in espionage activities, according to ESET.
While ESET Research has not detected AhRat outside of the Google Play Store, the software company noted that this is not the first instance of AhMyth-based Android malware being found on the official store.
In 2019, ESET had previously published research on a trojanized app built upon AhMyth, which managed to bypass Google's app-vetting process by disguising itself as a malicious app offering radio streaming.
However, ESET added that the iRecorder app is also available on alternative and unofficial Android markets, but the legitimate versions do not contain any malicious code.
"The AhRat research case serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy," said ESET researcher Lukáš Štefanko, who discovered and analyzed the threat.
"While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app, so far, we have no evidence for either of these hypotheses."
The AhRat malware, derived from the open-source AhMyth RAT, demonstrates a significant level of sophistication, according to ESET.
Apart from its legitimate screen recording functionality, the researchers note that iRecorder app can surreptitiously record audio from the device's microphone and upload it to the attacker's command and control server.
Additionally, it can allegedly extract various file types, including saved web pages, images, audio, video, and document files, which are then transmitted from the compromised device.
Read Also: Nintendo is Shutting Down Skyline Switch Emulator on Android
Unknowingly Exposed
"Android users who installed an earlier version of iRecorder (prior to version 1.3.8), which lacked any malicious features, would have unknowingly exposed their devices to AhRat if they subsequently updated the app either manually or automatically, even without granting any further app permission approval," ESET researchers wrote.
Android 11 and higher versions introduce app hibernation, a preventive measure that disables dormant apps, resetting their permissions and preventing malicious apps from functioning.
While ESET Research has not identified the specific campaign or APT group behind this activity, detailed information can be found in ESET's blog post on "Android app breaking bad: From legitimate screen recording to file exfiltration within a year" on WeLiveSecurity.
If you have installed the iRecorder app, it is strongly advised to delete it from your device. The app has been removed from Google Play, but prior to its removal, it had amassed over 50,000 downloads, indicating a significant number of potentially affected users.
Related Article: Microsoft Integrates Bing's AI Chatbot With iOS, Android SwiftKey
