iRecorder Ap transformé en logiciel espion après la mise à jour

iRecorder, Screen Recorder screen recording app with over 50,000 downloads on Google Play, received a remote access trojan as an “update” and turned into a spyware.

Interestingly, the malicious functionality appeared only a year after the application was published in the Google Play store.

Permettez-moi de vous rappeler que nous avons également écrit cela Chinese Hacker Group Evasive Panda Hacked Tencent App to Spy on NGOs, et aussi que Deux groupes de hackers ont piraté simultanément une agence fédérale aux États-Unis à l'aide d'un bug vieux de quatre ans.

ESET experts who discovered a threat in the application say that iRecorder – Screen Recorder appeared in the store in September 2021, mais it was trojanized after an update to version 1.3.8 en août 2022.

Since the application was intended for screen recording, it made it easier for attackers to request permissions to record audio and access files on infected devices without arousing suspicion.

The malware that was included in the mentioned update is RAT AhRat, based on the open source AhMyth source code. En même temps, the code taken from AhMyth was heavily modified, and the developer clearly knew what he was doing.

The first malicious version of iRecorder contained parts of the malicious AhMyth RAT code copied without any changes. The second version of the malware, which we named AhRat, was also available on Google Play, and here AhMyth was already customized: there was a code for communicating with the C&C server and a backdoor. At the time of this writing, we have not found AhRat in any other Google Play app or anywhere else.the analysts write.

The AhRat malware has a wide range of capabilities, including tracking the location of infected devices, stealing call logs, contacts, and text messages, sending SMS messages, recording background sounds, and taking photos.

ESET experts note that the malicious screen recording application used only part of AhRat’s capabilities: every 15 minutes it recorded and transmitted background sounds to a remote server (the recording lasted about a minute), and also stole files with certain extensions, which led researchers to think about cyber espionage .

Lukáš Štefanko

Unfortunately, we do not have any evidence that the application targeted a specific group of people. From the description of the application and further research (in search of a possible propagation vector), it is not clear if any specific group was affected. This seems highly unusual, but we have no evidence to the contrary.ESET expert Lukáš Štefanko écrit.

The app has now been removed from Google Play, however experts warn that iRecorder – Screen Recorder may be available on alternative and unofficial Android app stores.

It should be noted that this is not the first time that malware based on open source AhMyth has penetrated Google Play. Donc, dans 2019, the same ESET experts found Radio Balouch et RB Music apps in the store, which did contain legitimate components for streaming radio broadcasting, but were also infected with AhMyth.