Google has removed a screen recording app named “iRecorder – Screen Recorder” from the Play Store after it was found to have sneaky information-stealing capabilities almost a year after it was published as a harmless app.
This app (APK package name “com.tsoft.app.iscreenrecorder”) has over 50,000 installs and was first uploaded on September 19, 2021. This malicious functionality is believed to have been introduced with the released version 1.3.8. August 24, 2022.
“It’s rare for a developer to upload a legitimate app, wait nearly a year, and then update it with malicious code,” ESET security researcher Lukasz Stefanko said in a technical report.
“The malicious code added to the clean version of iRecorder is based on the open source AhMyth Android RAT (Remote Access Trojan) and customized into what we named AhRat.”
iRecorder is first flagged Kaspersky Security Analyst Igor Golovin pointed out that the “AhMyth” Trojan was hidden on October 28, 2022, and the app remained accessible all the time, and most recently On February 26, 2023, it indicated that it had also received a new update.
The application’s malicious behavior includes, among other things, the extraction of microphone recordings and the collection of files with certain extensions, and ESET describes AhRat as a lightweight version of AhMyth.
Data collection characteristics indicate a possible motive for espionage, but there is no evidence linking the activity to known threat actors. However, AhMyth has previously been used by the Transparent Tribe in attacks targeting South Asia.
iRecorder is the work of a developer named Coffeeholic Dev who has released several other apps over the years. None are accessible at the time of writing –
- iBlock (com.tsoft.app.iblock.ad)
- iCleaner (com.isolate.icleaner)
- iEmail (com.tsoft.app.email)
- iLock (com.tsoft.app.ilock)
- iVideoDownload (com.tsoft.app.ivideodownload)
- iVPN (com.ivpn.speed)
- File Speaker (com.teasoft.filespeaker)
- QR Saver (com.teasoft.qrsaver)
- Hot news and cold news in Vietnamese (com.teasoft.news)
This development is just the latest example of malware employing a technique called versioning. Versioning refers to uploading a clean version of your app to the Play Store to build trust among users, and then adding malicious code at a later stage through app updates. Skip the app review process.
“AhRat’s case study is a great example of how an initially legitimate application can turn into a malicious application, even after months of use, to spy on users and compromise their privacy. Yes,” said Stefanko.
