Google has removed a screen recording app called “iRecorder – Screen Recorder” from the Play Store after it was found to be sneaking in its information-stealing capabilities nearly a year after it was publicized as a harmless app.
The application (APK package name “com.tsoft.app.iscreenrecorder”), which has more than 50,000 installs, was first uploaded on September 19, 2021. Malicious functionality is believed to have been introduced in version 1.3.8, which was released on August 24, 2022.
“It’s rare for a developer to upload a legitimate app, wait almost a year, then update it with malicious code,” ESET security researcher Lukáš Štefanko said in technical reports.
“The malicious code added to the clean version of iRecorder is based on open source AhMyth Android RAT (remote access trojan) and has been customized into what we have named AhRat.”
iRecorder first first marked such as hiding the AhMyth trojan on October 28, 2022, by Kaspersky security analyst Igor Golovin, indicating that the app managed to remain accessible all this time and even received a new update on February 26, 2023.
The app’s malicious behavior specifically involves extracting microphone recordings and harvesting files with certain extensions, with ESET describing AhRat as a lite version of AhMyth.
The data collection characteristics suggest possible espionage motives, although there is no evidence linking the activity to any known threat actor. However, AhMyth had previously been employed by the Transparent Tribe in attacks targeting South Asia.
iRecorder is the work of the developer named Kopiholic Developer, which has also released several other apps over the years. None of them are accessible at the time of writing –
- iBlock (com.tsoft.app.iblock.ad)
- iCleaner (com.isolate.cleaner)
- iEmail (com.tsoft.app.email)
- iLock (com.tsoft.app.ilock)
- iVideoDownload (com.tsoft.app.ivideodownload)
- iVPN (com. ivpn. speed)
- Speaker file (com.teasoft.filespeaker)
- QR saver (com.teasoft.qrsaver)
- Hot news and cold news in Vietnam (com.teasoft.news)
This development is just the latest example of malware adopting a technique called versioning, which refers to uploading a clean version of an app to the Play Store to build trust among users and then adding the malicious code at a later stage through app updates, as an offering passes the app’s review process.
“AhRat’s research case serves as a good example of how an initially legitimate application can turn malicious, even after months, spying on its users and compromising their privacy,” said Štefanko.