Previously Safe Android App Secretly Updated to Serve Malware a Year Later
A Google Play Store app transformed into spyware almost a year after it debuted.
The app, iRecorder — Screen Recorder, was safe to use when it was first published in September 2021. But the software became a Trojan in August, most likely when it was updated to version 1.3.8, according(Opens in a new window) to findings from antivirus provider ESET.
“It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code,” wrote ESET researcher Lukas Stefanko.
The app was designed to help users record the screen on an Android phone and edit those screen captures. But in August, the malicious update, which ESET dubs “AhRat,” introduced the ability for the app to steal files from a user’s smartphone and secretly record audio.
“These functionalities appeared to fit within the already defined app permissions model, which grants access to files on the device and permits recording of audio,” Stefanko said. “Notably, the malicious app provided video-recording functionality, so it was expected to ask for permission to record audio and store it on the device.”
Hence, the malicious update wouldn’t have triggered any special permission requests on an Android phone because the user had already granted them in order to use the app’s existing screen-recording capabilities.
“During our analysis, AhRat received commands to exfiltrate files with extensions representing web pages, images, audio, video, and document files, and file formats used for compressing multiple files,” ESET added.
Why the app was secretly Trojanized remains unclear. It’s possible the app came from a legitimate developer who had their account hijacked by a hacker. It’s also possible the developer sought to secretly
Read more on pcmag.com
