Initially, the iRecorder app did not have any harmful features. What is quite uncommon is that the application received an update containing malicious code quite a few months after its launch.
The application’s specific malicious behaviour, which involves extracting microphone recordings and stealing files with specific extensions, potentially indicates its involvement in an espionage campaign.
Was the iRecorder app popular?
The malicious programme with over 50,000 downloads was removed from Google Play after an alert was raised following research into its activities. It was available on Google Play as a legitimate app in September 2021, with malicious functionality most likely added in August 2022.
During its existence, the application was installed on more than 50,000 devices. The malicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan).
Besides the Google Play Store, research has not detected this malware anywhere else in the wild. However, this is not the first time that AhMyth-based Android malware has been available on the official store in 2019.
Back then, the spyware circumvented Google’s app-vetting process twice, as a malicious programme providing radio streaming. However, the iRecorder programme can also be found on alternative and unofficial Android markets, and the developer also provides other programmes on Google Play, but they don’t contain malicious code.
What do the experts say?
“The research case serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy”.
“While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses,” explains researcher Lukas Stefanko, who discovered and investigated the threat.
“Fortunately, preventive measures against such malicious actions have already been implemented in Android 11 and higher versions in the form of hibernation. This feature effectively places apps that have been dormant for several months into a hibernation state, thereby resetting their runtime permissions and preventing malicious apps from functioning as intended”.
“The malicious programme was removed from Google Play after our alert, which confirms that the need for protection to be provided through multiple layers remains essential for safeguarding devices against potential security breaches,” concludes Stefanko.
What does research suggest?
The authors of the malicious app invested significant effort into understanding the code of both the programme itself and the back end, ultimately adapting it to suit their own needs. Aside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control server.
It can also exfiltrate from the device files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files.
Android users who installed an earlier version of iRecorder (prior to version 1.3.8), which lacked any malicious features, would have unknowingly exposed their devices to Malware if they subsequently updated the application either manually or automatically, even without granting any further programme permission approval.
Research has not yet found any concrete evidence that would enable the attribution of this activity to a particular campaign or APT cybercriminal group.
Do you have the right IT security strategy to protect your business from a cyberattack?
Our IT security audit focuses on the security, best practice and resiliency of critical IT services and how these factors impact IT risk management – Learn more.
You can also follow Radius on Instagram, Facebook or LinkedIn for more security updates.
Source: ESET
