Screen recording Android app found to be spying on users

A screen recorder app with over 50,000 downloads on Google Play Store was found to be discreetly recording audio using the device’s microphone and stealing files, suggesting it might be part of an espionage campaign, according to researchers at Eset.

iRecorder was a legitimate app made available in September 2021 and a remote access trojan (RAT) AhRat was most likely added to it in 2022. The app is currently unavailable on the app store.

AhRat: the remote access trojan

The malicious code introduced in the app is a customized version of the open source RAT AhMyth. RATs can allow the threat actor access to a victim’s device and control it remotely. It can also have functions similar to spyware and stalkerware.

The customized version of the RAT, AhRat, shows that the authors of the malicious app invested significant effort into understanding the code of both the app and the back end, ultimately adapting it to suit their own needs.

“This is not the first time that AhMyth-based Android malware has been available on the official store; ESET previously published research on such a trojanized app in 2019,” Eset said.

In 2019, the spyware circumvented Google’s app-vetting process twice, as an app that provided radio streaming.

“The AhRat research case serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy,” Lukáš Štefanko, a researcher at Eset, said in the report. 

“While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses,” Štefanko said.

iRecorder can also be found on alternative and unofficial Android markets, and the developer also provides other applications on Google Play Store, but they don’t contain malicious code.

The functionality of the malicious code

The trojanized iRecorder app can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control server. It can also exfiltrate from the device files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, according to Eset’s report.

“Android users who installed an earlier version of iRecorder (prior to version 1.3.8), which lacked any malicious features, would have unknowingly exposed their devices to AhRat if they subsequently updated the app either manually or automatically, even without granting any further app permission approval,” Štefanko said. 

Preventive measures against such malicious actions have already been implemented in Android 11 and higher versions in the form of app hibernation. This feature effectively places apps that have been dormant for several months into a hibernation state, thereby resetting their runtime permissions and preventing malicious apps from functioning as intended. 

Android phones targeted by various malware

Android devices are increasingly becoming an attractive target for threat actors. Earlier this week, another open source Android malware called DogeRAT was discovered targeting a large customer base across multiple industries, especially Banking and Entertainment, according to CloudSek.

The malware is disguised as a legitimate app and distributed through social media and messaging apps. “Once installed, the malware can steal sensitive information from the victim’s device, such as contacts, messages, and banking credentials,” CloudSek said in a blog. 

The malware can also be used to take control of the victim’s device and perform malicious actions, such as sending spam messages, making unauthorized payments, modifying files, viewing call records, and even taking photos via both the front and rear cameras of the infected device, Cloudsek said. 

Earlier this month, according to Trend Micro, the cybercrime gang Lemon Group managed to get a malware known as Guerrilla preinstalled on about 8.9 million Android-based smartphones, watches, TVs, and TV boxes globally. 

Guerilla malware can load additional payloads, intercept one-time passwords from SMS texts, set up a reverse proxy from the infected device, and infiltrate WhatsApp sessions.