The longtime best practice for anyone using apps on their devices is to only download them from official stores like Google Play or the iOS App Store. Official stores have means to generally prevent malicious apps from being listed. Though, that doesn’t mean bad apps never slip through the cracks. It also doesn’t mean that a once legitimate app can’t subsequently have malicious code added to it down the line.
This is what happened with an Android app called “iRecorder — Screen Recorder,” according to research from ESET. The seemingly innocuous recording app first appeared in the Google Play Store on September 19th, 2021, and had over 50,000 installs before it was pulled from the app store. Malicious functionality was likely added just under a year after it was first listed, in August 2022.
Spying on users
At first, the app only did what it advertised: provide a means for users to record their screens. However, with the malicious update, every 15 minutes, the app began recording surrounding audio from the device’s microphone and uploading it to the malicious actor’s server. In addition to the audio recordings, the app was also able to exfiltrate certain documents, saved web pages, images, and videos from victims’ phones.
Because these files had specific extensions, the ESET researchers believe that the app may have been a part of an espionage campaign, but they haven’t identified a particular malicious group that owned the app. It also isn’t clear whether the developer made the malicious update or if another group hijacked the app. Upon discovering the app and its dubious activities in March 2023, ESET notified Google, and it was promptly removed from the Play Store.
More about the malicious code
The legitimate app was made malicious by a code based on the open-source AhMyth Android RAT (remote access trojan). ESET researchers call it AhRat. Malicious actors can use RATs to access a victim’s device and remotely control or surveil it. Potential negative functions can include recording and stealing files from the victim, such as in this case, as well as tracking the device’s location, taking pictures, and sending SMS messages. AhRat did not take any of the latter actions, suggesting it only functioned within the predefined permissions of the app to avoid suspicion.
Preventative measures
It’s certainly problematic to users that a once legitimate app from an official app store can turn malicious down the line. How can you secure yourself against something that shouldn’t be permitted to happen? Fortunately, Android 11 and higher has implemented App hibernation, which puts apps that have been dormant for several months into a hibernation state, resetting their permissions and protecting users from potential malicious changes. Google is also working on sending monthly updates to users regarding apps that have changed their data-sharing practices.
Cora is a digital copywriter for SSLs.com. Having eight years of experience in online content creation, she is a versatile writer with an interest in a wide variety of topics, ranging from technology to marketing.