업데이트 후 iRecorder Ap가 스파이웨어로 변했습니다.

iRecorder, Screen Recorder screen recording app with over 50,000 downloads on Google Play, received a remote access trojan as an “update” and turned into a spyware.

재미있게, the malicious functionality appeared only a year after the application was published in the Google Play store.

우리도 그렇게 썼다는 것을 상기시켜 드리겠습니다. Chinese Hacker Group Evasive Panda Hacked Tencent App to Spy on NGOs, 그리고 그것도 두 개의 해킹 그룹이 4년 된 버그를 사용해 미국 연방 기관을 동시에 해킹했습니다..

ESET experts who discovered a threat in the application say that iRecorder – Screen Recorder appeared in the store in September 2021, 하지만 it was trojanized after an update to version 1.3.8 in August 2022.

Since the application was intended for screen recording, it made it easier for attackers to request permissions to record audio and access files on infected devices without arousing suspicion.

The malware that was included in the mentioned update is RAT AhRat, based on the open source AhMyth source code. 동시에, the code taken from AhMyth was heavily modified, and the developer clearly knew what he was doing.

The first malicious version of iRecorder contained parts of the malicious AhMyth RAT code copied without any changes. The second version of the malware, which we named AhRat, was also available on Google Play, and here AhMyth was already customized: there was a code for communicating with the C&C server and a backdoor. At the time of this writing, we have not found AhRat in any other Google Play app or anywhere else.the analysts write.

The AhRat malware has a wide range of capabilities, including tracking the location of infected devices, stealing call logs, contacts, and text messages, sending SMS messages, recording background sounds, and taking photos.

ESET experts note that the malicious screen recording application used only part of AhRat’s capabilities: every 15 minutes it recorded and transmitted background sounds to a remote server (the recording lasted about a minute), and also stole files with certain extensions, which led researchers to think about cyber espionage .

Lukáš Štefanko

Unfortunately, we do not have any evidence that the application targeted a specific group of people. From the description of the application and further research (in search of a possible propagation vector), it is not clear if any specific group was affected. This seems highly unusual, but we have no evidence to the contrary.ESET expert Lukáš Štefanko 쓴다.

The app has now been removed from Google Play, however experts warn that iRecorder – Screen Recorder may be available on alternative and unofficial 기계적 인조 인간 app stores.

It should be noted that this is not the first time that malware based on open source AhMyth has penetrated Google Play. 그래서, ~에 2019, the same ESET experts found Radio Balouch 그리고 RB Music apps in the store, which did contain legitimate components for streaming radio broadcasting, but were also infected with AhMyth.