Almost a year has taken Google to unmask this app that, through malicious code, used the microphone of Android phones to record audio without consent and send it to its servers. His name is iRecorder – Screen Recorderand said vulnerability was discovered by ESET, during an investigation led by Lukas Stefanko.
iRecorder – Screen Recorder it wasn’t always a trojan horse. In fact, for almost a year after its launch in September 2021, it worked exactly for what it said: record the screen of Android phones. However, in an update eleven months later, Stefanko detects the first malicious code insertion. Since then, he has been recording one minute of audio every 15 minutes and sending it to the attackers’ servers.
It is not the first time that iRecorder – Screen Recorder becomes the target of investigators. The first report of malicious code dates back to October 2022, when Igor Golovin, a security analyst, detected the presence of the Trojan. ahmyth within the app. Since then, they had managed to avoid detection by Google and the Play Store, and even released a final update in February of this year.
Stefanko believes that this is a perfect demonstration of how a completely legitimate app can turn into a malicious entity. Apparently, the time it has been on the market is irrelevant. Any developer could create a good user base with the application installed to later take advantage of them. Of course, after having obtained the permits that will allow him to carry out his macabre plan.
Tens of thousands of Android users could have been victims of this application
ESET research confirms that iRecorder can record the audio surrounding the device and upload it to the attacker’s servers every 15 minutes, but it’s not the only thing. In addition, it is capable of uploading files with various extensions directly from your mobile. From stored web pages, to images, and even videos and various documents.
How did they get such a multifaceted malicious entity? Well, according to the research, the behavior of this code is based on AhMyth RAT (Remote Access Trojan), specifically designed for Android. In addition, the developers managed to customize their own version of the malwarenaming it as AhRAT.
That is why giving an app access to the microphone or files on the device is not recommended, many know. That’s why Android software dedicated to screen recording was the perfect cover to avoid attracting attention. Thus, once installed, developers could deploy the malicious code without having to request extra permissions.
Upon installation of the malicious app, it behaved like a standard app without any special requests for additional permissions that might have revealed its malicious intent.
lukas stefanko
To alleviate the problem, at least in part, Google is working on an update that will notify users, on a monthly basis, which apps have changed their practices when it comes to sharing data, and on what dates they started doing so. As long as they are able to detect it, of course.
Fortunately, Google has already removed iRecorder – Screen Recorder from your Android app store. However, at the time of doing so, said app already accumulated more than 50,000 downloadsso the magnitude of this security breach has important consequences.
Those people who have never installed the app on their respective Android device have nothing to worry about. However, those who still have it installed on their device, it is recommended to remove it immediately.