(Image credit- Google Play)
Every 15 minutes, a Google Play Store app would record a minute of the user’s screen and send it through an encrypted link to the creators’ servers.
The program was initially a good screen recorder, but following an upgrade in August of last year, it turned bad.
Without Permission, Audio Recording
Users of Android devices were able to record their screen and send it to the app developer using iRecorder Screen Recorder every 15 minutes. The program has received more than 50,000 downloads from the Google Play Store since its initial release in September 2021, according to a report.
Eleven months after its initial release, the program published an upgrade that gave users the ability to upload sensitive files and remotely activate the device’s microphone, connect to a server under the control of an attacker, and record and upload audio. However, this is also where it started secretly recording every 15 minutes without users’ permission.
Important Protection Against Changing Threats Lukas Stefanko, a researcher, discovered that the code from the AhMyth Android Remote Access Trojan, which has recently been included in a number of Google Play Store applications, was used to implement these recordings. All iRecorder users got an update that made this possible after it was added.
The developer clearly mastered the open-source RAT based on the number of changes made to the AhMyth code over time. Despite these risks, apps with AhMyth incorporated in them have gotten through Google’s censors in the past, like iRecorder. In actuality, the software was taken down after 50,000 downloads.
Trying out the app
Stefanko repeatedly installed the application on machines in his lab to test it, and each installation had the same outcome. The command-and-control server, also known as C&C or C2, was instructed to receive a recording of one minute of audio from the app.
According to the reports, the study revealed that the configuration file consistently returned the command to record audio, turning on the microphone, capturing the audio, and sending it to C2.
Before the infection was stopped, the test was attempted to repeat the process three to four times.
Potential Driver
The researchers were unable to determine whether this might be the case, but one potential explanation for iRecord’s actions is that the program is a component of an ongoing intelligence operation.
Also read: Facebook’s Messenger Update: Enhanced User Experience with End-to-End Encryption
The researcher thought it seemed extremely uncommon for the software to have no motivation since it sends the audio it has gathered to attackers.
“Unfortunately, we don’t have any evidence that the app was pushed to a particular group of people, and from the app description and further research (possible app distribution vector), it isn’t clear if a specific group of people was targeted or not,” Stefanko wrote in a blog post.