Malicious behavior started almost one after the launch of the app; experts pointed out that this is unusual in the environment
A popular app called iRecorder – Screen Recorder has become a headache for its user base. That’s because ESET’s research team discovered that a recent update implemented malicious functionality in the program. As a consequence, the software was removed from Google Play following reports from the digital security company.
When it was uploaded to the Google platform on September 19, 2021, the app had no malware function. However, as of August 2022, the update that brought version 1.3.8 of the software added malicious functionality to iRecorder – Screen Recorder, according to ESET.
After becoming a “trojanized application”, as it was called by the digital security company, the program started to have a behavior, “which involves the extraction of microphone recordings and theft of files with specific extensions”.
It’s a screen recorder for Android, but it can also record ambient audio through the microphone. Furthermore, it can extract files with extensions representing saved web pages, images, audio, video, and documents.
According to experts, this indicates involvement in an espionage campaign.
iRecorder – Screen Recorder has more than 50 thousand downloads on the Google Play platform. Their malware was named “AhRat” as it is based on the “AhMyth” remote access trojan.
App recorder – Screen Recorder (Image: Disclosure / ESET)
Behavior is out of the ordinary
ESET experts stated that it is very rare for a developer to release legitimate software and wait almost a year to add malware code to it.
Usually, the applications don’t take long to receive the malicious functionalities, immediately pointing out the intention of those who produced them. However, Google Play has recently removed several legitimate programs that received various viruses, data collection, and fraud purposes.
Another curious point is that the digital security company has claimed not to have detected AhRat in any other software. This means that it is possible that the scammers created the malicious code specifically for this app.
However, professionals said they were unable to attribute the virus to any specific group of criminals. Finally, the developer of iRecorder – Screen Recorder offers other applications, but they do not contain the malware code.