Press Center

Malware and antivirus software

News

Legitimate Android app iRecorder turns malicious within a year, spies on its users, ESET Research discovers

Created: 2023-05-25 07:44:38

  • As a Google App Defense Alliance partner, ESET detected a trojanized app available on the Google Play Store and named the AhMyth-based malware it contained AhRat.
  • Initially, the iRecorder app did not have any harmful features. What is quite uncommon is that the application received an update containing malicious code quite a few months after its launch.
  • The application’s specific malicious behavior, which involves extracting microphone recordings and stealing files with specific extensions, potentially indicates its involvement in an espionage campaign.
  • The malicious app with over 50,000 downloads was removed from Google Play after ESET Research’s alert; ESET has not detected AhRat anywhere else in the wild.

BRATISLAVA, KOŠICE — May 23, 2023 — ESET researchers have discovered a trojanized Android app named iRecorder - Screen Recorder. It was available on Google Play as a legitimate app in September 2021, with malicious functionality most likely added in August 2022. During its existence, the app was installed on more than 50,000 devices. The malicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan) and has been customized into what ESET named AhRat. The malicious app is capable of recording audio using the device’s microphone and stealing files, suggesting it might be part of an espionage campaign.

Besides the Google Play Store, ESET Research has not detected AhRat anywhere else in the wild. However, this is not the first time that AhMyth-based Android malware has been available on the official store; ESET previously published research on such a trojanized app in 2019. Back then, the spyware, built on the foundations of AhMyth, circumvented Google’s app-vetting process twice, as a malicious app providing radio streaming. However, the iRecorder app can also be found on alternative and unofficial Android markets, and the developer also provides other applications on Google Play, but they don’t contain malicious code.

“The AhRat research case serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy. While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses,” explains ESET researcher Lukáš Štefanko, who discovered and investigated the threat.

The remotely controlled AhRat is a customization of the open-source AhMyth RAT, which means that the authors of the malicious app invested significant effort into understanding the code of both the app and the back end, ultimately adapting it to suit their own needs.

Aside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control server. It can also exfiltrate from the device files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files.

Android users who installed an earlier version of iRecorder (prior to version 1.3.8), which lacked any malicious features, would have unknowingly exposed their devices to AhRat if they subsequently updated the app either manually or automatically, even without granting any further app permission approval.

“Fortunately, preventive measures against such malicious actions have already been implemented in Android 11 and higher versions in the form of app hibernation. This feature effectively places apps that have been dormant for several months into a hibernation state, thereby resetting their runtime permissions and preventing malicious apps from functioning as intended. The malicious app was removed from Google Play after our alert, which confirms that the need for protection to be provided through multiple layers, such as ESET Mobile Security, remains essential for safeguarding devices against potential security breaches,” concludes Štefanko.

ESET Research has not yet found any concrete evidence that would enable the attribution of this activity to a particular campaign or APT group.

For more technical information about the malicious iRecorder app and AhRat, check out the blogpost “Android app breaking bad: From legitimate screen recording to file exfiltration within a year” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

 




About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.

Why ESET?

ESET has over 25 years' experience of helping people to Enjoy Safer Technology. Our software is light on hardware, but hard on malware.

Our Technology

ESET’s award-winning NOD32® Antivirus technology is at the cutting edge of digital security. It’s updated daily to keep you secure.

Free Support

Enjoy your free, industry-leading customer support locally. For technical, sales and marketing enquires dial +65 6296 4268.