A screen recording app for Android has become malicious after receiving an update, gaining capabilities to steal user recordings and files. The app, which was available on the Google Play Store and was taken offline after the danger was discovered, has accumulated more than 50,000 downloads due to the simple functionality of recording what happens on the smartphone screen.
Behind the scenes, however, iRecorder – Screen Recorder started to run a remote access trojan from its 1.3.8 update, released in August 2022. The malware known as AhRat is a variation of another already known virus, AhMyth, and would be part of an espionage campaign, as indicated by the functionalities of the application itself.
In addition to diverting screen recordings to servers controlled by criminals, the pest was also able to activate the microphone to listen to what happens in the surroundings without the user’s permission. Meanwhile, the files available on the cell phone were scanned in search of specific formats, which, if found, were also sent to the criminals.
One of the hypotheses raised by ESET, the security company that located the malicious application in the official Google store, is that this is a premeditated operation. The idea would be to create a user base from legitimate software that would later receive its spying capabilities. However, another possible path is to compromise the developer’s own supply chain, which also provides other apps on the Play Store and other marketplaces, without malicious functionality.
On the other hand, the specialists’ attention was drawn to the level of specialization of AhRat, which has elements of stealth and also a well-done integration with the code of iRecorder itself, in order not to arouse suspicion. The variant found in the screen recording app is unique, according to ESET, but other modifications of the original AhMyth code have been seen in Android phone infections since 2019.
Do a security check on Android
Promptly uninstalling iRecorder – Screen Recording is the main recommended security measure, but not the only one. The software has since been pulled from the Google Play Store, but anyone who downloaded it and kept it updated as of August 2022 could still be at risk; removing the app, however, prevents it from continuing to access files.
This also goes for a security feature introduced starting with Android 11, which revokes permissions on infrequently used software. Without them, the malware would not be able to act, which may have guaranteed the protection of some users who had the pest installed on their device, but did not use it frequently.
Still, it is important to perform a security check on the Android smartphone, running antivirus software and other security platforms looking for problems. When downloading apps, users should also prefer recognized solutions from certified developers who have a reputation in the market; Conducting online research and looking for reviews of solutions or logs of security issues can help with this option.
Always use official stores for your operating system or manufacturer to download apps and pay attention to the requested permissions, trying to figure out if they make sense with the software’s functionality. If you are suspicious, stop using it, delete the application and give preference to those from well-known developers.
Source: ESET
