Explorer

Beware! This Android App With Over 50,000 Downloads On Google Play Store Was Sending Mic Recordings

A malicious Android app with more than 50,000 downloads on the Google Play Store has been discovered.

A malicious Android app with more than 50,000 downloads on the Google Play Store has been discovered. The trojanized Android app named iRecorder – Screen Recorder, was initially uploaded to the Google Play Store without malicious functionality on September 19, 2021. However, it appears that malicious functionality was later implemented, most likely in version 1.3.8 of the app, which was made available in August 2022, according to Essential Security against Evolving Threats or ESET researchers.

The Android app's specific malicious behaviour involves extracting microphone recordings and stealing files with specific extensions, potentially indicates that it is involved in an espionage campaign. However, the researchers were not able to attribute the app to any particular malicious group.

According to malware researcher Lukas Stefanco, apart from providing legitimate screen recording functionality, the malicious iRecorder app can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control (C&C) server. It can also exfiltrate files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device.

"It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code. The malicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan) and has been customized into what we named AhRat," Stefanco explained.

"The iRecorder application was initially released on the Google Play Store on September 19th, 2021, offering screen recording functionality; at that time, it contained no malicious features. However, around August 2022 we detected that the app’s developer included malicious functionality in version 1.3.8. As illustrated in Figure 1, by March 2023 the app had amassed over 50,000 installations," he added.

After the initial communication, AhRat pings the C&C server every 15 minutes, requesting a new configuration file. This file contains a range of commands and configuration information to be executed and set on the targeted device, including the file system location from which to extract user data, the file types with particular extensions to extract, a file size limit, the duration of microphone recordings (as set by the C&C server; during analysis it was set to 60 seconds), and the interval of time to wait between recordings – 15 minutes – which is also when the new configuration file is received from the C&C server.

Meanwhile, AhRat has not been detected anywhere else in the wild. However, this is not the first time that AhMyth-based Android malware has been available on Google Play. The researchers had previously published a report on such a trojanized app in 2019. Back then, the spyware, built on the foundations of AhMyth, circumvented Google’s app-vetting process twice, as a malicious app providing radio streaming.

View More
Advertisement
Advertisement
25°C
New Delhi
Rain: 100mm
Humidity: 97%
Wind: WNW 47km/h
See Today's Weather
powered by
Accu Weather
Advertisement

Top Headline

'Have To Save Our Families': PM Modi Blasts DMK Over Drug Busts In TN, Says 'BJP Enough To Fight Menace'
PM Modi Blasts DMK Over Drug Busts In TN, Says 'BJP Enough To Fight Menace'
Will Sunita Kejriwal Become Delhi CM? Know Delhi Minister Atishi's Response At ABP Shikhar Sammelan
Will Sunita Kejriwal Become Delhi CM? Know Delhi Min Atishi's Response At ABP Shikhar Sammelan
Mukhtar Ansari Death: UP Court Orders Probe After Son Claims Father 'Poisoned' In Jail — Top Points
Mukhtar Ansari Death: UP Court Orders Probe After Son Claims Father 'Poisoned' In Jail — Top Points
'BJP Should Pay Rs 4,600 Crore': Congress Slams Income Tax Dept, ECI After Getting Rs 1,700-Crore Notice
'BJP Should Pay Rs 4,600 Crore': Congress Slams Income Tax Dept, ECI After Getting Rs 1,700-Crore Notice
Advertisement
for smartphones
and tablets

Videos

Emotional Yet Fun Video Featuring Kapil Sharma, Tabu & Rhea Kapoor, Sharma To Star In 'Crew'ABP Shikhar Sammelan 2024: Anurag Thakur's counterattack to opposition over electoral bondsABP Shikhar Sammelan 2024: Why did BJP canceled tickets of more than 100 sitting MP's?|Anurag ThakurABP Shikhar Sammelan 2024: Anurag Thakur's gets angry on TMC-Congress over remarks on Kangana Ranaut

Photogallery

Embed widget