Explorer

Beware! This Android App With Over 50,000 Downloads On Google Play Store Was Sending Mic Recordings

A malicious Android app with more than 50,000 downloads on the Google Play Store has been discovered.

A malicious Android app with more than 50,000 downloads on the Google Play Store has been discovered. The trojanized Android app named iRecorder – Screen Recorder, was initially uploaded to the Google Play Store without malicious functionality on September 19, 2021. However, it appears that malicious functionality was later implemented, most likely in version 1.3.8 of the app, which was made available in August 2022, according to Essential Security against Evolving Threats or ESET researchers.

The Android app's specific malicious behaviour involves extracting microphone recordings and stealing files with specific extensions, potentially indicates that it is involved in an espionage campaign. However, the researchers were not able to attribute the app to any particular malicious group.

According to malware researcher Lukas Stefanco, apart from providing legitimate screen recording functionality, the malicious iRecorder app can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control (C&C) server. It can also exfiltrate files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device.

"It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code. The malicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan) and has been customized into what we named AhRat," Stefanco explained.

"The iRecorder application was initially released on the Google Play Store on September 19th, 2021, offering screen recording functionality; at that time, it contained no malicious features. However, around August 2022 we detected that the app’s developer included malicious functionality in version 1.3.8. As illustrated in Figure 1, by March 2023 the app had amassed over 50,000 installations," he added.

After the initial communication, AhRat pings the C&C server every 15 minutes, requesting a new configuration file. This file contains a range of commands and configuration information to be executed and set on the targeted device, including the file system location from which to extract user data, the file types with particular extensions to extract, a file size limit, the duration of microphone recordings (as set by the C&C server; during analysis it was set to 60 seconds), and the interval of time to wait between recordings – 15 minutes – which is also when the new configuration file is received from the C&C server.

Meanwhile, AhRat has not been detected anywhere else in the wild. However, this is not the first time that AhMyth-based Android malware has been available on Google Play. The researchers had previously published a report on such a trojanized app in 2019. Back then, the spyware, built on the foundations of AhMyth, circumvented Google’s app-vetting process twice, as a malicious app providing radio streaming.

View More
Advertisement
Advertisement
25°C
New Delhi
Rain: 100mm
Humidity: 97%
Wind: WNW 47km/h
See Today's Weather
powered by
Accu Weather
Advertisement

Top Headlines

Jharkhand Polls: 1.37 Crore Electors Set To Vote In Phase 1; Champai Soren, 6 Ministers Among Candidates
Jharkhand Polls: 1.37 Crore Electors Set To Vote In Phase 1; Champai Soren, 6 Ministers In Fray
Lyricist Arrested For Threatening Salman Khan, Demanding Rs 5 Cr Ransom, Cops Say 'Accused Wanted To Get Famous'
Lyricist Arrested For Threatening Salman Khan, Cops Say 'Accused Wanted To Get Famous'
Now, An Afghan Student To Man Afghanistan Embassy In India
Now, An Afghan Student To Man Afghanistan Embassy In India
Barron Trump: The 'Sleeper Agent' Who Shaped Donald Trump's Victory In US President Election
Barron Trump: The 'Sleeper Agent' Who Shaped Donald Trump's Victory In US President Election
Advertisement
ABP Premium

Videos

Nirmala Sitharaman Announces Game-Changing Collateral-Free Loan Scheme for MSMEsSIP Emerges as a Safe Investment Amidst Market Fluctuations | Paisa LiveTop Banks Offering 8.75% Interest for Senior Citizens: Here’s What You Need to Know!RBI Set to Make a Big Decision on Your EMI: What You Need to Know!

Photo Gallery

Embed widget