A malicious Android software that had been downloaded onto more than 50,000 devices was recently withdrawn from the Play Store by Google. The program was first released by the developer in 2021, and a year later it was infested with malicious code, said the security company that found the trojan. The program may also extract and upload content from users by looking for web page, audio, and video extension files. Users who downloaded the app must manually uninstall it from their devices even though the Play Store has withdrawn it.
Researchers from ESET claim that the iRecorder app was first submitted to the Play Store in September 2019 and that it did not contain any malicious functionality. A little over a year later, a variation of the open-source AhMyth Android RAT (remote access trojan) known as AhRat was found inside the app. Users would have the infected software on their smartphone if they upgraded the app or downloaded it for the first time after August 2022.
Over 50,000 people downloaded the iRecorder app from the Google Play store.
Screenshot courtesy of ESET
Although the app’s first release did not have any malicious functionality, ESET claims that a later update added code that enabled it to act maliciously, including recording background sounds and sound by using the phone’s microphone. The attacker might then upload these videos to their command-and-control (C&C) server. The software could also extract files with certain extensions, including compressed files, web pages, documents, music, video, and image files.
According to ESET experts, the AhMyth RAT is a very potent tool that can record audio, take pictures, track the location of the target device, and generate a list of all the files on the target smartphone in addition to exfiltrating text messages, call logs, and contacts from a user’s phone.
The researchers, who were unable to link the AhRat virus to any advanced persistent threat (APT) group, believe that the behavior of the software indicates that it may be deployed as part of an espionage campaign. ESET claims that APT36, also known as Transparent Tribe, a cyberespionage organization, had previously targeted military and governmental organizations in South Asia using the original open-source AhMyth RAT.
The iRecorder app was taken down from the Google Play market after ESET alerted Google to its harmful code. According to the listing at the time of its removal, the software has already been downloaded 50,000 times. The infected software must be manually uninstalled from devices by users who installed or updated the application after it became infected.
Leave a Reply