Over the years, Google has beefed up its defenses and put up strong railings to protect its Android ecosystem from malware and other malicious apps and programs. Despite its best efforts, a harmful app often manages to get past its defenses and reach unsuspecting users. In another such incident, security researchers have discovered that an Android app was defaced almost a year after it was rolled out through Google’s Play Store.
An Android app dubbed as ‘iRecorder – Screen Recorder’ has leaked user data nearly a year after it was launched on the Play Store without hiding any malicious code, according to security researchers at ESET (via The Verge). Started collecting without their explicit permission. Researchers say that the app appeared on the Play Store on September 19, 2021. Almost a year later in August 2022, the app’s developers rolled out version 1.3.8 of the app, after which the malicious behavior started.
What does the app do?
Researchers say that in addition to providing legitimate screen recording functionality, the malicious iRecorder app can record ambient audio from the phone’s microphone and upload it to the attacker’s command and control (C&C) servers. It can also upload web pages saved from the device, images, audio, video and document files, and files with extensions representing file formats used to compress many files.
“The app’s specific malicious behavior – exfiltrating microphone recordings and stealing files with specific extensions – suggests it is part of an espionage campaign. However, we were unable to attribute the app to any specific malicious group. ” wrote in a blog post.
But what about malicious behavior?
As mentioned earlier, when the app was launched it did not contain any malicious code. About a year after its roll out, the developers injected a malicious code into the app, which is when things went wrong. The malicious code that was added to the app was based on the open-source AhMyth Android RAT (Remote Access Trojan), which the researchers called AhRat.
The original Trojan, the AhMyth RAT, is capable of exfiltrating call logs, contacts and text messages, obtaining a list of files on the device, tracking device location, sending SMS messages, recording audio and taking pictures. By extension, Aharat also came with similar abilities.
The researchers claim that all these permissions for an app would have raised suspicions. However, they are suitable for any screen recording app. So, when developers installed malicious code into the app, it didn’t require any additional permissions.
“Upon installation of a malicious app, it behaves as a standard app without any special additional permission requests that might reveal its malicious intentions,” the researchers said.
If all of that wasn’t enough to scare you, there’s more. The researchers said that the Ahrat Trojan pinged the C&C servers every 15 minutes, requesting a new configuration file. Simply put, the malicious app pings the developers with users’ personal information every 15 minutes.
Upon analysis, the researchers found that the Trojan was sending files representing web pages, images, audio, video and document files, and file formats used to compress multiple files, including -zip, rar, jpg, jpeg, jpe, jif, jfif, jfi, png, mp3, mp4, mkv, 3gp, m4v, mov, avi, gif, webp, tiff, tif, heif, heic, bmp, dib, svg, ai, eps, pdf, doc, docx, html, htm, odt, pdf, xls, xlsx, ods, ppt, pptx, and txt, to its developers – that’s a lot of information.
What is Google doing about it?
ESET researchers flagged the app’s malicious behavior to Google, after which it removed the app from the Play Store. However, by then the app had been downloaded over 50,000 times.
How can I protect myself?
If you have not downloaded this app then there is nothing to worry about. However, if you have downloaded this app, it is advised that you uninstall and delete it from your smartphone now.
The post Rogue Screen Recorder App Found Spying on Android Users: How to Protect Yourself appeared first on Techlusive.
