iRecorder Ap Turned into Spyware after the Update

iRecorder, Screen Recorder screen recording app with over 50,000 downloads on Google Play, received a remote access trojan as an “update” and turned into a spyware.

Interestingly, the malicious functionality appeared only a year after the application was published in the Google Play store.

Let me remind you that we also wrote that Chinese Hacker Group Evasive Panda Hacked Tencent App to Spy on NGOs, and also that Two Hack Groups at Once Hacked into a Federal Agency in the United States Using a Four-Year-Old Bug.

ESET experts who discovered a threat in the application say that iRecorder – Screen Recorder appeared in the store in September 2021, but it was trojanized after an update to version 1.3.8 in August 2022.

Since the application was intended for screen recording, it made it easier for attackers to request permissions to record audio and access files on infected devices without arousing suspicion.

The malware that was included in the mentioned update is RAT AhRat, based on the open source AhMyth source code. At the same time, the code taken from AhMyth was heavily modified, and the developer clearly knew what he was doing.

The first malicious version of iRecorder contained parts of the malicious AhMyth RAT code copied without any changes. The second version of the malware, which we named AhRat, was also available on Google Play, and here AhMyth was already customized: there was a code for communicating with the C&C server and a backdoor. At the time of this writing, we have not found AhRat in any other Google Play app or anywhere else.the analysts write.

The AhRat malware has a wide range of capabilities, including tracking the location of infected devices, stealing call logs, contacts, and text messages, sending SMS messages, recording background sounds, and taking photos.

ESET experts note that the malicious screen recording application used only part of AhRat’s capabilities: every 15 minutes it recorded and transmitted background sounds to a remote server (the recording lasted about a minute), and also stole files with certain extensions, which led researchers to think about cyber espionage .

Lukáš Štefanko

Unfortunately, we do not have any evidence that the application targeted a specific group of people. From the description of the application and further research (in search of a possible propagation vector), it is not clear if any specific group was affected. This seems highly unusual, but we have no evidence to the contrary.ESET expert Lukáš Štefanko writes.

The app has now been removed from Google Play, however experts warn that iRecorder – Screen Recorder may be available on alternative and unofficial Android app stores.

It should be noted that this is not the first time that malware based on open source AhMyth has penetrated Google Play. So, in 2019, the same ESET experts found Radio Balouch and RB Music apps in the store, which did contain legitimate components for streaming radio broadcasting, but were also infected with AhMyth.