Internal ADS Below Title (yes/no)

Seo Services

PageNavi Results No.

Seo Services
Home / Unlabelled / A popular screen-recording Android app started secretly recording its users

A popular screen-recording Android app started secretly recording its users

 

A popular screen-recording Android app started secretly recording its users

27 June, 2023

The longtime best practice for anyone using apps on their devices is to only download them from official stores like Google Play or the iOS App Store. Official stores have means to generally prevent malicious apps from being listed. Though, that doesn’t mean bad apps never slip through the cracks. It also doesn’t mean that a once legitimate app can’t subsequently have malicious code added to it down the line. 

A popular screen-recording Android app called iRecorder — Screen Recorder was found to be secretly recording its users' audio and other data. The app, which had been downloaded over 50,000 times, was removed from the Google Play Store after security researchers discovered the malicious code.

The malicious code was introduced in an update to the app in August 2022. The code allowed the app to secretly record a minute of audio from the device's microphone every 15 minutes. The app also had the ability to exfiltrate documents, web pages, and media files from the user's phone.

The malicious code was a customized version of an open-source remote access trojan (RAT) called AhMyth. RATs are used by cybercriminals to gain unauthorized access to a victim's device. Once they have access, they can steal data, install malware, or control the device remotely.

The developer of the iRecorder app, who goes by the name "Coffeholic Dev," has other apps in the Google Play Store. However, none of these other apps have been found to contain malicious code.

Security researchers are warning users who have downloaded iRecorder — Screen Recorder to delete the app from their devices immediately. They are also advising users to be careful about what apps they download from the Google Play Store and to only install apps from trusted developers.

In addition to deleting the iRecorder app, users can also take steps to protect their privacy by:

  • Keeping their devices up to date with the latest security patches.
  • Using a strong password and enabling two-factor authentication for their Google accounts.
  • Being careful about what apps they install and what permissions they grant to those apps.
  • Using a security app to scan their devices for malware.

By taking these steps, users can help to protect themselves from malicious apps like iRecorder — Screen Recorder.

This is what happened with an Android app called “iRecorder — Screen Recorder,” according to research from ESET. The seemingly innocuous recording app first appeared in the Google Play Store on September 19th, 2021, and had over 50,000 installs before it was pulled from the app store. Malicious functionality was likely added just under a year after it was first listed, in August 2022.

Get a Wildcard SSL, from only $32.88


Spying on users

At first, the app only did what it advertised: provide a means for users to record their screens. However, with the malicious update, every 15 minutes, the app began recording surrounding audio from the device’s microphone and uploading it to the malicious actor’s server. In addition to the audio recordings, the app was also able to exfiltrate certain documents, saved web pages, images, and videos from victims’ phones. 

Because these files had specific extensions, the ESET researchers believe that the app may have been a part of an espionage campaign, but they haven’t identified a particular malicious group that owned the app. It also isn’t clear whether the developer made the malicious update or if another group hijacked the app. Upon discovering the app and its dubious activities in March 2023, ESET notified Google, and it was promptly removed from the Play Store. 

More about the malicious code

The legitimate app was made malicious by a code based on the open-source AhMyth Android RAT (remote access trojan). ESET researchers call it AhRat. Malicious actors can use RATs to access a victim’s device and remotely control or surveil it. Potential negative functions can include recording and stealing files from the victim, such as in this case, as well as tracking the device’s location, taking pictures, and sending SMS messages. AhRat did not take any of the latter actions, suggesting it only functioned within the predefined permissions of the app to avoid suspicion

Preventative measures

It’s certainly problematic to users that a once legitimate app from an official app store can turn malicious down the line. Fortunately, Android 11 and higher has implemented App hibernation, which puts apps that have been dormant for several months into a hibernation state, resetting their permissions. Google is also working on sending monthly updates to users regarding apps that have changed their data-sharing practices.

Get a Wildcard SSL, from only $32.88



No comments:

Subscribe to: Post Comments ( Atom )
ads 728x90 B
Powered by Blogger.