As illustrated in Figure 1, by March 2023 the app had amassed over 50,000 installations. However, around August 2022 we detected that the app’s developer included malicious functionality in version 1.3.8. The iRecorder application was initially released on the Google Play Store on September 19 th, 2021, offering screen recording functionality at that time, it contained no malicious features. Following our alert, the app was removed from the store. However, we were not able to attribute the app to any particular malicious group.Īs a Google App Defense Alliance partner, ESET identified the most recent version of the application as malicious and promptly shared its findings with Google. The app’s specific malicious behavior – exfiltrating microphone recordings and stealing files with specific extensions – tends to suggest that it is part of an espionage campaign. It can also exfiltrate files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device. Overview of the appĪside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control (C&C) server. Back then, the spyware, built on the foundations of AhMyth, circumvented Google’s app-vetting process twice, as a malicious app providing radio streaming. However, this is not the first time that AhMyth-based Android malware has been available on Google Play we previously published our research on such a trojanized app in 2019. The malicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan) and has been customized into what we named AhRat.īesides this one case, we have not detected AhRat anywhere else in the wild. It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code. The malicious app with over 50,000 downloads was removed from Google Play after our alert we have not detected AhRat anywhere else in the wild.The application’s specific malicious behavior, which involves extracting microphone recordings and stealing files with specific extensions, potentially indicates its involvement in an espionage campaign.What is quite uncommon is that the application received an update containing malicious code quite a few months after its launch. Initially, the iRecorder app did not have any harmful features.As a Google App Defense Alliance partner, we detected a trojanized app available on the Google Play Store we named the AhMyth-based malware it contained AhRat.
0 Comments
Leave a Reply. |