Legitimate Android app transforms into data-snooping malware


ESET researchers have discovered a trojanised Android app named iRecorder – Screen Recorder. The app was first unveiled in Google Play as a legitimate app in September 2021, however, the malicious ability was believed to be added in August 2022. The app has been installed on more than 50,000 devices, and the malicious code added to the app was a remote access trojan dubbed “AhRat'' by ESET.

The malicious app is capable of recording audio using the device's microphone and stealing files. Besides the Google Play Store, AhRat has not been detected anywhere else in the wild by ESET researchers who had previously published research about the AhMyth Android RAT. The remotely controlled AhRat is a customisation of the open-source AhMyth RAT, which means that the authors of the malicious app invested significant effort into understanding the code of both the app and the back end, ultimately adapting it to suit their own needs.

Think online safety, think Hide Expert VPN.

In addition to the malicious app's ability to record audio, it can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control server. It can also exfiltrate from the device files with extensions, representing saved web pages, images, audio, video, and document files and file formats used for compressing multiple files.

ESET researchers have not yet found proof that the app developer intentionally embedded the app with the malware having certified that other apps developed by the developer are malware free. They are certain that the motive of the threat actor is part of an espionage campaign.

The earlier version of the iRecorder app before the current version 1.3.8 is not contaminated and ESET researchers confirmed that they have alerted Google who in turn have taken down the app. The Pinduoduo app has some security threats which made Google suspend it from its app store early last month.

“Fortunately, preventive measures against such malicious actions have already been implemented in Android 11 and higher versions in the form of app hibernation, this feature effectively places apps that have been dormant several months into a hibernation state, thereby resetting their runtime permissions and preventing malicious apps from functioning as intended”, - ESET researcher Lukas Stefanko, who discovered and investigated the threat explained.