Spotting a dodgy app on the Google Play Store can be hard enough, even with the efforts of Google Play Protect. But detecting when a previously legit app has turned bad? That’s almost impossible.
Thankfully, researchers at digital security firm ESET have been able to do just that, discovering a previously legitimate Android app, named iRecorder – Screen Recorder, which has become trojanized over the last year and now presents a serious threat to users.
Smelling AhRat
iRecorder – Screen Recorder, released in September of 2021, was initially found to be free of any malicious features. However, following an update that likely happened in August 2022, it was modified to include custom malicious code based on the open-source AhMyth Android RAT (remote access tool).
ESET researchers have labeled this highly-customized trojan “AhRat,” and have (as of yet) not found any replication of the code elsewhere on the Google Play Store. However, it’s not the first time that the firm has encountered AhMyth-based malware on the storefront — with a similar good-app-gone-bad security threat occurring in 2019 with the app Radio Balouch.
As a Google App Defense Alliance partner, ESET shared its findings with Google immediately ensuring that the iRecorder app was promptly removed from the store. That being said, the trojanized screen recording app remains a threat to any users that had already installed it on their devices.
How bad is it?
According to the apps Google Play page, iRecorder – Screen Recorder was installed over 50,000 times before Google pulled it from the storefront. How many of these users still have the app installed is unknown, however, its malicious code will remain active on their devices giving the authors access to personal and private information at will.
So just what can the AhRat malware do? Specific malicious behavior identified from the analyzed code confirms that the app was able to exfiltrate microphone recordings and steal files with specific extensions from the storage of the infected device — including picture, video, document, and web formats. The files would then be sent in 15-minute intervals to the attacker’s command and control (C&C) server, where they could be freely accessed.
A further twelve potential commands were found within the malicious code, though these appear to be dormant — potentially awaiting further updates for activation. Some of these commands included giving the infected app the ability to secretly record the victim’s screen, log keystrokes, steal SMS messages, and bypass permissions.
Outlook
If you are familiar with the iRecorder – Screen Recorder app or have it installed on your devices, you should remove it immediately. While Google has removed the software from its Play store, this app will likely still appear on third-party app stores — so be sure to avoid it at all costs.
One saving grace for phones running Android 11 and up comes from the operating system’s app hibernation feature. The feature places apps you haven’t used for a while into a hibernation state, restricting runtime permissions and effectively severing any dormant apps from continuing to run unseen in the background. However, if you’re an active user you should act fast.
The identification of RAT-like malware in Android apps is a prime reason why you should ensure your device is protected at all times. Any device that can connect to the internet is in some way vulnerable to malicious actors, which is why we’ve compiled a list of the best antivirus apps around to help keep your devices safe from intrusion.
In the meantime, if this news leaves you at a loss for safe ways to record your screen, simply check out our malware-free guides on how to screen record on Android devices, and how to screen record on iPhone and iPad devices.
Source link