A recent research by antivirus supplier ESET revealed that iRecorder — Screen Recorder, well-known software on the Google Play Store, infected with malware over a year after it was first made available. When the app first launched in September 2021, it was safe to use. However, in August, most likely with the release of version 1.3.8, the app began a change into a malicious application.
Lukas Stefanko, an ESET researcher, highlighted that it is uncommon for a developer to add harmful code to reliable software after such a lengthy time. iRecorder – Screen Recorder was first created to help users record and alter the displays of their Android phones. The app now has the capacity to covertly take data from users' smartphones and secretly record audio thanks to a malicious update called "AhRat".
Moreover, Lukas Stefanko clarified that the app's previous permissions, which already permitted access to device data and audio recording, were consistent with these additional features. The app didn't raise any red flags or request additional permissions because it had the ability to shoot videos. The legal screen-recording functionality of the software had already been enabled with these rights; therefore the malicious update went undetected.
According to ESET's study, AhRat, the malicious update, was given instructions to exfiltrate a variety of information, including compressed file formats, web pages, pictures, and audio, video, and document files. Unknown reasons may have been used to covertly turn the program into malware. The program may have come from a reliable developer whose account was taken over by a hacker. Alternatively, the malicious update could have been purposefully added from the start by the developer. ESET hasn't yet discovered concrete evidence to back either viewpoint, though.
To add to it, over 50,000 people downloaded” iRecorder — Screen Recorder” on Google Play despite the app's misleading makeover. Fortunately, Google included a security feature to Android 11 and subsequent versions. If the user hasn't engaged with an app for a few months, the operating system may put it into a state of hibernation automatically. The app's functionality is turned off during this hibernation period, potentially protecting users from danger.
However, when ESET disclosed its findings, Google uninstalled the app. Additionally, it looks that the app's developer page, CoffeeHolic Dev, has been deleted. The iRecorder – Screen Recorder app is still available on unofficial app marketplaces, nevertheless.
Read next: New Report Reveals Top Security Threats for 2023
Lukas Stefanko, an ESET researcher, highlighted that it is uncommon for a developer to add harmful code to reliable software after such a lengthy time. iRecorder – Screen Recorder was first created to help users record and alter the displays of their Android phones. The app now has the capacity to covertly take data from users' smartphones and secretly record audio thanks to a malicious update called "AhRat".
Moreover, Lukas Stefanko clarified that the app's previous permissions, which already permitted access to device data and audio recording, were consistent with these additional features. The app didn't raise any red flags or request additional permissions because it had the ability to shoot videos. The legal screen-recording functionality of the software had already been enabled with these rights; therefore the malicious update went undetected.
According to ESET's study, AhRat, the malicious update, was given instructions to exfiltrate a variety of information, including compressed file formats, web pages, pictures, and audio, video, and document files. Unknown reasons may have been used to covertly turn the program into malware. The program may have come from a reliable developer whose account was taken over by a hacker. Alternatively, the malicious update could have been purposefully added from the start by the developer. ESET hasn't yet discovered concrete evidence to back either viewpoint, though.
To add to it, over 50,000 people downloaded” iRecorder — Screen Recorder” on Google Play despite the app's misleading makeover. Fortunately, Google included a security feature to Android 11 and subsequent versions. If the user hasn't engaged with an app for a few months, the operating system may put it into a state of hibernation automatically. The app's functionality is turned off during this hibernation period, potentially protecting users from danger.
However, when ESET disclosed its findings, Google uninstalled the app. Additionally, it looks that the app's developer page, CoffeeHolic Dev, has been deleted. The iRecorder – Screen Recorder app is still available on unofficial app marketplaces, nevertheless.
Read next: New Report Reveals Top Security Threats for 2023
