Be careful if you have installed iRecorder on your Android smartphone! A security researcher discovered that this app was infected with malware that regularly eavesdrops on users without their knowledge. Very worrying…
The story is not trivial. It is however true. And above all worrying, because it could prefigure a new generation of particularly insidious computer threats. Lukas Stefanko, a security researcher working at ESET Research within the Google App Defense Alliance, discovered that an Android app was spying on its users through their smartphone’s microphone. Boring and dangerous, but not exceptional. Except that the app in question was not at all indiscreet at the origin: as the expert explains in his blog post published on May 23, 2023, it was bugged after an update, in August 2022, well after its initial release! And it was this update that quietly introduced spyware malware into the devices!
iRecorder: an app compromised by an update
The app in question is iRecorder. A very useful innocuous tool that allows you to record on video what is displayed on the smartphone screen. Convenient for “filming” manipulations or a game, for example. And if it worked normally for months, after its initial release in September 2021, it completely – and discreetly – changed its behavior after an update in the summer of 2022. And for good reason: the new version – numbered 1.3 .8 – introduced a very dangerous malware. “The malicious code that has been added to the clean version of iRecorder is based on the open source AhMyth Android RAT (remote access Trojan) and has been customized into what we have named AhRat”explains the researcher.
However, this malware does all the more damage since the original – harmless – application had requested numerous authorizations during its initial installation. Permissions that gave access to multiple information, including personal files and the device’s microphone. Like a sleeping spy who remains discreet before going into action, iRecord has thus woken up by exfiltrating confidential data but also by listening to its users through the microphone of their smartphone! Lukas Stefanko and his ESET colleagues discovered that the application recorded one minute of sound every fifteen minutes, the audio and other stolen information being sent very discreetly to mysterious servers. Scary!
iRecorder: one minute of sound recorded every quarter of an hour!
“AhRat’s malicious behavior, which includes recording audio using the device’s microphone and stealing files with specific extensions, may indicate that it was part of a spy campaign”says the researcher in his blog post. “We have not yet found concrete evidence that would allow us to attribute this activity to any particular campaign or hacker group,” he regrets.
Obviously, iRecorder was removed from the Play Store as soon as Google was informed of the situation, and there is more risk of downloading this infected application – which has still been installed by some 50,000 people worldwide. However, the extent of the damage to the victims is unknown, as is the intention of the hackers who devised this diabolical scheme. One thing is certain: you should always be wary of applications that claim more permissions than necessary when installing them. And favor recognized and reputable apps on online stores such as the Play Store – which regularly hosts infected apps, despite the filtering and verification measures taken by Google. but the most disturbing part of this astonishing story is to see that an originally harmless app can turn into a formidable spy after a banal update. We can fear the worst if other hackers use this pernicious method with popular apps…