Once legit Android app started recording users, sending audio to attackers

About a year after the app launched, an update added malicious code to record users and steal files

Google Play Store

Researchers have found a once-legitimate app on the Google Play Store turned sour and started secretly recording audio every 15 minutes.

The report comes from security firm ESET (via Ars Technica) and details how an app called ‘iRecorder Screen Recorder’ went from an innocent app to a spy tool. The app had some 50,000 downloads, though Google has since removed it from the Play Store along with other apps by the developer, ‘Coffeeholic Dev.’ It’s worth noting that ESET didn’t find signs of malice in other apps by Coffeeholic.

iRecorder launched on the Play Store in September 2021 as a tool to help users record their screens. However, eleven months after launching, the app suddenly gained new capabilities allowing it to remotely turn on the phone’s microphone and record sound. The app would do so every 15 minutes and record for about one minute, then send the audio along with other sensitive files stored on the device to an attacker-controlled server.

ESET reports that iRecorder’s espionage capabilities were added using code from ‘AhMyth,’ an open-source remote access Trojan (RAT) that’s been seen in several other malicious Android apps. Over time, the code taken from AhMyth was heavily modified — ESET dubbed the modified RAT ‘AhRat.’

ESET also noted that it’s unusual to find a malicious app that actively records a wide base of victims. The researchers posit that the app could be part of an active espionage campaign but haven’t found any evidence to indicate that that’s the case. ESET also didn’t find evidence that the app was targeted at a specific group of people.

Those interested can read the full report here.

Source: ESET Via: Ars Technica