Android App Recorded Users Silently for Almost a Year
Google’s Android application has been discovered to have engaged in covert surveillance of users for nearly a year. Initially designed for screen recording purposes, the app surreptitiously captured audio and transmitted it to questionable destinations. Essential Security against Evolving Threats (ESET) researcher Lukas Stefanko revealed that the app had been available for download on the Google Play store since September 19, 2021. However, after an update in August 2022, the Android app, known as iRecorder – Screen Recorder, began recording one minute of audio every 15 minutes. These recordings were then sent to the developer’s server via an encrypted link. In a WeLiveSecurity blog post, Stefanko stated, Initially, the iRecorder app did not possess any malevolent characteristics.
It is exceedingly uncommon for a developer to release a legitimate Android app, await an extended duration, and subsequently introduce malicious code through an update. The malicious code, which was added to the clean version of iRecorder, is based on the open-source AhMyth Android RAT (remote access trojan) and has been tailored into a version called AhRat.
In addition to its screen recording capabilities, this Android recording app had the capacity to capture ambient audio via the device’s microphone and transmit it to the attacker’s command and control (C&C) server. Moreover, it could extract files with extensions related to saved web pages, images, audio, video, documents, and compressed file formats from the targeted device.
The particular malicious actions of this Android app strongly suggest its involvement in an espionage campaign. Nevertheless, ESET was unable to identify a specific group associated with the program. Fortunately, iRecorder has now been removed from Google Play, and traces of the AhRat malware have not been discovered elsewhere.
However, this is not the initial occurrence of AhMyth-based Android malware infiltrating Google Apps. WeLiveSecurity previously published research on a trojanized app in 2019. During that time, the spyware managed to evade Google’s app-vetting process on two occasions by masquerading as a harmless radio streaming service. This incident emphasizes the need for caution, even when utilizing programs from official app stores.
The existence of fraudulent apps is not a novel phenomenon in either the Android or Apple App Stores. Among these, recorder apps have gained notoriety, often employing predatory subscription pricing models and resorting to fake reviews to bolster their visibility. The gradual transformation of apps into malicious entities presents a significant problem as they exploit the permissions granted to access sensitive information on users’ devices.
While the iRecorder Android app is no longer a cause for concern, the underlying question persists: what prevents another dormant agent from transforming your device into a surveillance tool? Fortunately, Google is taking measures to address this issue by developing updates that provide monthly notifications, alerting users to any changes in data-sharing practices implemented by apps.
These efforts are aimed at enhancing transparency and empowering users to remain informed about their app’s behaviors. In the meantime, to safeguard against spyware, it is advisable to regularly update your operating system and web browsers, ensuring you have the latest protection against threats. Install reputable antivirus and anti-spyware software on your devices and consistently perform scans to identify and eliminate any potential dangers.
By incorporating these practices into your digital routine, you can significantly reduce the risk of falling victim to Android app spyware and other malicious threats.