ESET Discovers Malicious Android App ‘iRecorder – Screen Recorder’ with Espionage Capabilities

ESET Discovers Malicious Android App ‘iRecorder – Screen Recorder’ with Espionage Capabilities

(IN BRIEF) Researchers at ESET have discovered a malicious Android app called iRecorder – Screen Recorder that was initially available on Google Play as a legitimate app. The app, which had over 50,000 installations, had malicious functionality added in August 2022. The malicious code, called AhRat, is based on the AhMyth Android RAT and has been customized for espionage purposes. The app can record audio using the device’s microphone and steal files. While AhRat has not been found outside of Google Play, similar AhMyth-based malware has been previously detected on the official store. Users who had installed an earlier version of iRecorder and updated it unknowingly exposed their devices to AhRat. ESET has not attributed this activity to a specific campaign or APT group. For more information, refer to ESET’s blog post and follow ESET Research on Twitter.

(PRESS RELEASE) BRATISLAVA, 23-May-2023 — /EuropaWire/ — ESET, a Slovak internet security company known for its anti-virus and firewall products, announces that it has uncovered a trojanized Android app named iRecorder – Screen Recorder that posed a significant threat to over 50,000 users. Initially available as a legitimate app on Google Play since September 2021, the app had malicious functionality added in August 2022. The additional code, based on the AhMyth Android RAT, was customized by ESET researchers and named AhRat.

The AhRat malware exhibited sophisticated capabilities, including the ability to record audio through the device’s microphone and steal various files, suggesting a possible involvement in espionage activities. While no instances of AhRat have been detected outside of the Google Play Store, it is worth noting that similar AhMyth-based malware had previously evaded Google’s app-vetting process in 2019.

Lukáš Štefanko, an ESET researcher who discovered and investigated the threat, commented, “The AhRat research case serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy. While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses.”

The customization of AhRat demonstrates the malicious actors’ deep understanding of both the app’s code and backend infrastructure, highlighting their level of sophistication. In addition to its purported screen recording functionality, the malicious iRecorder app had the ability to covertly record audio and transmit it to a command and control server. It also exfiltrated various files, including web pages, images, audio, video, documents, and compressed files.

ESET researchers emphasized that Android users who installed earlier versions of iRecorder (prior to version 1.3.8) unknowingly exposed their devices to AhRat if they subsequently updated the app, regardless of granting further permission approval.

“Fortunately, preventive measures against such malicious actions have already been implemented in Android 11 and higher versions in the form of app hibernation. This feature effectively places apps that have been dormant for several months into a hibernation state, thereby resetting their runtime permissions and preventing malicious apps from functioning as intended. The malicious app was removed from Google Play after our alert, which confirms that the need for protection to be provided through multiple layers, such as ESET Mobile Security, remains essential for safeguarding devices against potential security breaches,” concludes Štefanko.

Although ESET has not attributed this activity to any specific campaign or APT group, the company urges Android users to take precautions. ESET recommends leveraging the app hibernation feature available in Android 11 and higher versions, which resets runtime permissions for dormant apps, preventing them from functioning maliciously. It is crucial to adopt multiple layers of protection, such as ESET Mobile Security, to ensure devices remain secure from potential breaches.

For more technical details on the malicious iRecorder app and AhRat, please refer to the blog post titled “Android app breaking bad: From legitimate screen recording to file exfiltration within a year” on WeLiveSecurity. Stay updated on the latest news from ESET Research by following them on Twitter.

About ESET

For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure, and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.

Media contact:

Rebecca Kiely
Director of Global PR
Tel: +421 (2) 322 44 111
Fax: +421 (2) 322 44 109
Web: www.eset.com/int

SOURCE: ESET, spol. s r.o.