Google removes iRecorder - Screen Recorder App from Play Store: it secretly captured microphone recordings

Google has taken action to remove a screen recording app called iRecorder - Screen Recorder from its Play Store after discovering that the app had incorporated information stealing capabilities almost a year after its initial release as a seemingly innocent application.

The app was downloaded over 50,000 times since it was first uploaded on September 19, 2021. Suspicious activity was believed to have been introduced in version 1.3.8, which was released on August 24, 2022.

Lukáš Štefanko, a security researcher at ESET, commented on the unusual nature of the situation, stating, "It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code," as outlined in a technical report.

The malicious code integrated into the previously clean iRecorder app is based on the AhMyth Android RAT (remote access trojan), an open-source tool, and has been adapted and customized into a variant referred to as AhRat.

The presence of the AhMyth trojan in iRecorder was initially detected on October 28, 2022, by Igor Golovin, a security analyst at Kaspersky. This indicates that the app managed to evade detection for an extended period, even receiving an update as recent as February 26, 2023.

AhRat exhibits an insidious feature whereby it can capture ambient audio from the device's microphone every 15 minutes and upload it to the attacker's command and control (C&C) server. Out of the 18 capabilities identified, only six had been integrated into the app, indicating that AhRat was still a work in progress. It is possible that additional functionalities, such as keylogging, location tracking, and screen capturing, similar to those found in AhMyth, could have been incorporated at a later stage.

While the data gathering capabilities of the app suggest a potential motive of espionage, there is currently no evidence linking these activities to any known threat actors. However, it is worth noting that AhMyth has been previously employed by Transparent Tribe in targeted attacks across South Asia.

This recent incident underscores a growing trend in malware tactics known as "versioning." This technique involves uploading a clean and innocuous version of an app to an official app store to gain users' trust. Malicious code is then added through subsequent app updates, effectively bypassing the app review process.