ESET security researchers have discovered a popular Android app that turned out to be a trojan. For years, the “iRecorder – Screen Recorder” only did what it was supposed to do according to the description, namely making recordings. But then there was an update.
Complex malicious code was probably added to the app with an update in August 2022. It wasn’t noticed until March, a good six months later. Meanwhile, the iRecorder – Screen Recorder app developed by Coffeeholic Dev has been removed from the Google Play Store.
According to ESET security experts, the app began transmitting excellent data to unknown third parties in the late summer of last year. It’s about images, videos, audio, and documents.
Suddenly, a remote access trojan appeared
The first malicious version of iRecorder contained parts of AhMyth RAT’s malicious code. This is a remote access trojan (RAT). This gives strangers access to data on the device.
This Trojan pings its C&C server every 15 minutes and requests a new configuration file. This file contains new commands and configuration information to be run and set on the target device.
According to ESET, these include the location in the file system from which user data should be extracted, the file types with specific extensions to be extracted, a file size limit, the duration of microphone recordings, and the time interval to wait between recordings. ESET has not found any clues as to who might be behind the manipulation of the iRecorder. It is currently being investigated how the Trojan could have been smuggled in.
Such remote-access Trojans are dangerous and have appeared again and again in recent years. Google is currently working on alerting users to manipulations in apps by analyzing the data they send.
It has been a long time since I joined Research Snipers. Though I have been working as a part-time tech-news writer, it feels good to be part of the team. Besides that, I am building a finance-based blog, working as a freelance content writer/blogger, and a video editor.