An app that had more than 50,000 downloads from Google Play surreptitiously recorded nearby audio every 15 minutes and sent it to the app developer, a researcher from security firm ESET said.
The app, titled iRecorder Screen Recorder, started life on Google Play in September 2021 as a benign app that allowed users to record the screens of their Android devices, ESET researcher Lukas Stefanko said in a post published on Tuesday. Eleven months later, the legitimate app was updated to add entirely new functionality. It included the ability to remotely turn on the device mic and record sound, connect to an attacker-controlled server, and upload the audio and other sensitive files that were stored on the device.
Surreptitious recording every 15 minutes
The secret espionage functions were implemented using code from AhMyth, an open source RAT (remote access Trojan) that has been incorporated into several other Android apps in recent years. Once the RAT was added to iRecorder, all users of the previously benign app received updates that allowed their phones to record nearby audio and send it to a developer-designated server through an encrypted channel. As time went on, code taken from AhMyth was heavily modified, an indication that the developer became more adept with the open source RAT. ESET named the newly modified RAT in iRecorder AhRat.
Stefanko installed the app repeatedly on devices in his lab, and each time, the result was the same: The app received an instruction to record one minute of audio and send it to the attacker’s command-and-control server, also known colloquially in security circles as a C&C or C2. Going forward, the app would receive the same instruction every 15 minutes indefinitely. In an email, he wrote:
During my analysis, AhRat was actively capable of exfiltrating data and recording microphone (a couple of times I removed the app and reinstalled, and the app always behaved the same).
Data exfiltration is enabled based on the commands in [a] config file returned from [the] C&C. During my analysis, the config file always returned the command to record audio which means [it] turned on the mic, captured audio, and sent it to the C2.
It happened constantly in my case, since it was conditional to commands that were received in the config file. Config was received every 15 minutes and record duration set to 1 minute. During analysis, my device always received commands to record and send mic audio to C2. It occurred 3-4 times, then I stopped the malware.
Malware laced in apps available on Google servers is hardly new. Google doesn’t comment when malware is discovered on its platform beyond thanking the outside researchers who found it and saying the company removes malware as soon as it learns of it. The company has never explained what causes its own researchers and automated scanning process to miss malicious apps discovered by outsiders. Google has also been reluctant to actively notify Play users once it learns they were infected by apps promoted and made available by its own service.
What is more unusual in this case is the discovery of a malicious app that actively records such a wide base of victims and sends their audio to attackers. Stefanko said it’s possible that iRecord is part of an active espionage campaign, but so far, he has been unable to determine if that’s the case.
“Unfortunately, we don’t have any evidence that the app was pushed to a particular group of people, and from the app description and further research (possible app distribution vector), it isn’t clear if a specific group of people was targeted or not,” he wrote. “It seems very unusual, but we don’t have evidence to say otherwise.”
RATs give attackers a secret backdoor on infected platforms so they can go on to install or uninstall apps, steal contacts, messages, or user data, and monitor devices in real time. AhRat isn’t the first such Android RAT to use the open source code from AhMyth. In 2019, Stefanko reported finding an AhMyth-implemented RAT in Radio Balouch, a fully working streaming radio app for enthusiasts of Balochi music, which hails from southeastern Iran. That app had a significantly smaller install base of just 100-plus Google Play users.
A prolific threat group that has been active since at least 2013 has also used AhMyth to backdoor Android apps that targeted military and government personnel in India. There’s no indication that the threat group—tracked by researchers under the names Transparent Tribe, APT36, Mythic Leopard, ProjectM, and Operation C-Major—ever spread the app through Google Play, and the infection vector remains unclear.