Researchers from IT security manufacturer ESET have discovered and removed a Trojan version of the popular Android app “iRecorder – Screen Recorder” in Google Play. The malicious application was able to record audio via the device microphone and steal files without the user's consent.

Especially for users with Android versions older than 11, the ESET experts recommend the 50,000 users to delete iRecorder – Screen Recorder and install a new program version from 2.0. A mobile security solution also strengthens protection against threats of a similar nature. The app was available as a legitimate app on Google Play in September 2021, and the malicious functionality was probably added in August 2022. The malware called AhRat is based on the open source AhMyth Android RAT (Remote Access Trojan). The ESET researchers published the detailed analysis on the security blog Welivesecurity.de .

Spying instead of screen recording

In addition to offering legitimate screen recording capabilities, the malicious iRecorder can also record ambient sounds via the device's microphone and upload them to the attacker's command-and-control server. The app is also capable of extracting files from the device with extensions that contain saved web pages, images, audio, video and document files, as well as file formats used to compress multiple files.

Android users who had installed an earlier, legitimate version of iRecorder (prior to version 1.3.8) unknowingly exposed their devices to AhRat when they subsequently updated the application manually or automatically. This could happen even if they had not given further permission to the application.

“Fortunately, Android 11 and later versions have already implemented preventative measures against such malicious actions in the form of so-called app hibernation. This feature puts apps that have been inactive for several months into hibernation. This resets their runtime permissions so that malicious apps can no longer function as intended. The malicious version of iRecorder was removed from Google Play following our warning. This confirms that multi-layered protection like ESET Mobile Security remains essential to protect devices from potential security breaches.”

ESET researcher Lukáš Štefanko

Infected iRecorder version removed from Google Play

Apart from the Google Play Store, ESET Research has not yet discovered AhRat in the wild anywhere. However, it is not the first time that an Android malware based on AhMyth is available in the official store: ESET researchers published their results on such a Trojanized app back in 2019. Back then, the spyware based on AhMyth's foundations bypassed Google's app verification process twice as a malicious app that offered radio streaming. However, the iRecorder app can also be found in alternative and unofficial Android markets. The developer also offers other apps on Google Play, but they do not contain any malicious code.

About AhRat

“The AhRat case is a good example of how, even after many months, an originally legitimate app can turn into a malicious application that spies on its users and endangers their privacy. It's possible that the app developer wanted to build a user base before compromising their Android devices with an update. Or a malicious actor introduced this change to the app. So far we have no evidence to support either of these hypotheses.”

Lukáš Štefanko

AhRat is an adaptation of the open source app AhMyth RAT. The authors put considerable effort into understanding the code of both the app and the backend and ultimately adapting it to their own needs.

Further details can be found at Welivesecurity.de

Source:

Eset

This might also be of interest:
Chat-GPT: Cybercriminals rely on Chat-GPT
Digital crooks: How internet fraudsters steal identities
Facebook chain letters targeted: A satirical analysis


If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:

📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.

Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!

* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!


Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )