A popular Android app started secretly spying on its users months after it was approved on Google Play

Photo of author

By Webdesk


A cybersecurity company says a popular Android screen recording app that accumulated tens of thousands of downloads on Google’s app store then began spying on its users, including stealing microphone recordings and other documents from the user’s phone.

ESET’s investigation revealed that the Android app, “iRecorder — Screen Recorder”, introduced the malicious code as an app update almost a year after it was first listed on Google Play. According to ESET, the code allowed the app to stealthily upload a minute of ambient sound every 15 minutes from the device’s microphone, and exfiltrate documents, web pages and media files from the user’s phone.

The app is no longer listed in Google Play. If you have installed the app, you should uninstall it from your device. By the time the malicious app was pulled from the app store, it had already been downloaded more than 50,000 times.

ESET calls the malicious code AhRat, a modified version of an open-source remote access trojan called AhMyth. Remote access Trojans (or RATs) take advantage of broad access to a victim’s device and can often include remote control, but also operate similarly to spyware and stalkerware.

A screenshot of iRecorder, the affected app, in Google Play as it was cached in the Internet Archive in 2022.

A screenshot of iRecorder listed in Google Play as it was cached in the Internet Archive in 2022. Image Credits: TechCrunch (screenshot)

Lukas Stefanko, a security researcher at ESET who discovered the malware, said in a blog post that the iRecorder app had no malicious features when it was first launched in September 2021.

After the malicious AhRat code was pushed to existing users (and new users who would download the app directly from Google Play) as an app update, the app began stealthily accessing the user’s microphone and extorting the user’s phone information. upload to a server controlled by the malware. operator. Stefanko said the audio recording “fits within the already defined app permissions model” as the app is designed by nature to capture the device’s screen recordings and would request access to the device’s microphone.

It’s not clear who planted the malicious code – by the developer or someone else – or for what reason. TechCrunch has emailed the developer’s email address that was on the app’s list before it was taken down, but hasn’t heard back yet.

Stefanko said the malicious code is likely part of a wider espionage campaign – where hackers collect information on targets of their choice – sometimes on behalf of governments or for financially motivated reasons. He said it’s “rare for a developer to upload a legitimate app, wait nearly a year, and then update it with malicious code.”

It’s not uncommon for bad apps to sneak into app stores, nor is it the first time AhMyth has sneaked into Google Play. Both Google and Apple screen apps for malware before offering them for download, and sometimes act proactively to pull apps when they could put users at risk. Last year, Google said it blocked more than 1.4 million privacy-violating apps from reaching Google Play.



Source link

Share via
Copy link