After almost a year of working properly and being cleanly distributed through the Play Store, a popular Android screen recording app has turned on its users, recording their calls, stealing files, and even listening in to the sounds of the device’s environment.
Cybersecurity researchers from ESET found the app, named iRecorder – Screen Recorder, which was added to the Play Store in September 2021, turned sour in August 2022.
In the year before malicious code was apparently added, more than 50,000 people had downloaded the app, the report said.
The malware that was subsequently added is based on the open-source AhMyth Android Remote Access Trojan (RAT), but was heavily modified. ESET says whoever modified the code took their time to understand the code of both the app and the back end. ESET’s researchers dubbed the malware AhRat.
The threat actors behind the compromise are unknown, and so are their motives. But given the functionalities of AhRat, all things point to an espionage campaign, the researchers said. After all, besides the screen recording feature (which isn’t malicious), the app can record ambient audio picked up by the endpoint’s microphone, and exfiltrate files such as saved web pages, images, audio, video, document files, and more.
“The AhRat research case serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy. While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses,” ESET researcher Lukáš Štefanko said.
In other words, there’s a slight chance the app was taken over by malicious actors and used in a supply chain attack.
The iRecorder app versions 1.3.8 and older are not malicious, it was said, but if you updated it in the meantime, chances are – you’ve been compromised. The worst part is that the victims didn’t even need to grant the app any further permissions. The app has since been removed from the Play Store.