The expert group of ESET has located an Android application with Trojan characteristics that was accessible in the Google Play store, reaching more than 50,000 downloads. The application, named iRecorder – Screen Recorder, was initially introduced to the platform without malicious components on September 19, 2021. However, the harmful elements were added later, most likely in the 1.3.8 update, which was released in August 2021. 2022.
“It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code. The malicious code that was added to the clean version of iRecorder is based on the open source Android RAT (Remote Access Trojan) AhMyth and has been customized into what we call AhRat. Apart from this specific case, we have not detected AhRat activity anywhere else. However, it is not the first time that we have detected Android malware based on AhMyth available on Google Play, since in 2019 we also published a investigation into a trojanized app based on AhMyth’s code. Back then, it was spyware that managed to bypass Google’s app verification process twice by masquerading as a streaming radio app.” Camilo Gutierrez Amaya, Head of the Research Laboratory of ESET Latin America.
In addition to providing legitimate screen recording functionality, as indicated by ESET, the app malicious iRecorder can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control (C&C) server. It can also exfiltrate from the device files with extensions representing saved web pages, images, audio, video and document files, and file formats used to compress various files. The malicious behavior specific to the application (exfiltration of microphone recordings and theft of files with specific extensions) tends to suggest that it is part of a spying campaign. However, the app could not be attributed to any particular malicious group.
The iRecorder app arrived on the Google Play store on September 19, 2021 offering the screen recording feature, but it did not contain any malicious features. However, around August 2022 it was detected that the app developer included malicious functionality in version 1.3.8. By March 2023, the app had amassed over 50,000 installs.
The iRecorder trojanized app. Photo: ESET
However, Android users who had installed an older version of iRecorder (before version 1.3.8), which lacked malicious features, could have unknowingly exposed their devices to AhRat if they subsequently updated the app manually or automatically even without granting any other app permission approval.
“After reporting the malicious behavior of iRecorder, the Google Play security team removed the app from the store. However, it is important to note that the app may also be available on unofficial and alternative Android markets. The developer of iRecorder also provides other apps on Google Play, but they do not contain any malicious code.”, adds the ESET researcher.
The open source AhMyth malware was used by Transparent Tribealso known as APT36, a cyber espionage group known for its use extensive use of social engineering techniques and for targeting government and military organizations in South Asia. However, according to ESET, the current malware samples cannot be attributed to any specific group, and there is no indication that they were developed by a known Advanced Persistent Threat (APT) group.
AhMyth RAT is a powerful tool that offers several malicious features, including extracting call logs, contacts and text messages, obtaining a list of files on the device, tracking the location of the device, sending SMS messages , recording audio and taking pictures. However, in the two versions analyzed by ESET they only observed a limited set of malicious features derived from the original version of AhMyth RAT. These malicious features seemed to fit within the already defined permissions model used by the app, which grants access to files on the device and allows audio recording. Something to note is that the malicious app provided the video recording feature, so it was expected that it would ask for permission to record audio and store it on the device. Upon installation of the malicious app, it behaved as usual, without requesting any extra permissions that could reveal its malicious intent.
:quality(75)/cloudfront-us-east-1.images.arcpublishing.com/elcomercio/SNNLYCEB45FZTPWQI6UDG5PPQI.jpg)
Permissions requested by the iRecorder app. Photo: ESET
After installation, AhRat starts communicating with the C&C server by sending basic device information and receiving encryption keys and an encrypted configuration file. These keys are used to encrypt and decrypt the configuration file and some of the extracted data, such as the list of files on the device.
The Head of the ESET Research Laboratory concludes: “AhRat’s research serves as a good example of how an initially legitimate app can morph into a malicious one, even after many months, spying on its users and compromising their privacy. While the developer behind this app may have intended to build a user base before compromising their Android devices through an update or a malicious actor introduced this change to the app; So far, we have no evidence to confirm any of these hypotheses.”
Preventive measures against these types of malicious actions have already been implemented in Android 11 and higher versions through the application hibernation. This feature puts apps that have been inactive for several months into a hibernation state, resetting their execution permissions and preventing malicious apps from working as intended. The malicious app was removed from Google Play after it was reported by ESET, but confirms how important it is to have multi-layered protection on devices to guard against potential leaks, such as those offered by ESET Mobile Security.
Listen Dale Play on Spotify. Follow the program every Monday on our available audio platforms.
