An app with over 50,000 downloads from Google Play has been found to surreptitiously record nearby audio every 15 minutes and transmit it to the app developer, according to a security researcher from ESET. The app, named iRecorder Screen Recorder, initially entered Google Play in September 2021 as a harmless application allowing users to record their Android device screens. However, it underwent an update eleven months later, introducing new features that enabled the remote activation of the device's microphone, audio recording, connection to a server controlled by attackers, and uploading of sensitive files stored on the device.
The app's covert surveillance capabilities were implemented using code derived from AhMyth, an open-source remote access Trojan (RAT) previously incorporated into various Android apps. Following the addition of the RAT to iRecorder, all users of the previously benign app received updates that enabled their phones to record audio from their surroundings and transmit it to a server designated by the developer, utilizing an encrypted channel. As time passed, the code from AhMyth was extensively modified, indicating the developer's increasing proficiency with the open-source RAT. ESET identified the newly modified RAT in iRecorder as AhRat.
To investigate the app's behavior, ESET researcher Lukas Stefanko repeatedly installed iRecorder on devices in his lab, consistently obtaining the same outcome. The app would receive instructions to record one minute of audio and send it to the attacker's command-and-control server, also known as a C&C or C2. Subsequently, the app would receive the same instruction every 15 minutes indefinitely.
Incidents of malware embedded in apps available on Google servers are not uncommon. When malware is discovered on its platform, Google typically refrains from commenting, other than expressing gratitude to external researchers and stating that the company promptly removes such malware. However, Google has never clarified why its own researchers and automated scanning processes fail to detect malicious apps identified by external sources. Additionally, Google has been hesitant to actively notify Play users once it becomes aware that they have been infected by apps promoted and made available through its own service.
What sets this case apart is the discovery of a malicious app actively recording audio from a large number of victims and sending it to attackers. Stefanko suggested that iRecorder may be part of an ongoing espionage campaign, although conclusive evidence to support this claim has yet to be found. He noted, "Unfortunately, we don't have any evidence that the app was pushed to a particular group of people, and from the app description and further research (possible app distribution vector), it isn't clear if a specific group of people was targeted or not. It seems very unusual, but we don't have evidence to say otherwise."
RATs grant attackers a hidden backdoor on infected platforms, enabling them to install or uninstall apps, pilfer contacts, messages, user data, and monitor devices in real-time. AhRat is not the first Android RAT to incorporate the open-source code from AhMyth. In 2019, Stefanko reported discovering an AhMyth-based RAT in Radio Balouch, a fully functional streaming radio app catering to Balochi music enthusiasts originating from southeastern Iran. Unlike iRecorder, Radio Balouch had a significantly smaller user base of just over 100 Google Play users.
Moreover, a prolific threat group operating since at least 2013 has also leveraged AhMyth to backdoor Android apps targeting military and government personnel in India. There is no indication that this threat group, known by various names such as Transparent Tribe, APT36, Mythic Leopard, ProjectM, and Operation C-Major, ever disseminated the app through Google Play, and the precise infection vector remains unclear.