Google Play App Downloaded 50,000 Times Made 15-Minute Secret Mic Recordings
(CTN News) – It has been proven that one of the most effective methods of evading detection by Google for a malicious Android app in the Google Play Store is to arrive at the Google Play Store as a clean, legitimate app before malware elements are incorporated later.
As a matter of fact, this is what happened with iRecorder – Screen Recorder. As a result of the app being downloaded 50,000 times, it secretly recorded audio from the device mic every 15 minutes and then sent them to a third party.
According to ESET researcher Lukas Stefanko, iRecorder – Screen Recorder has been tainted by trojans over the course of the last year.
After the app was first uploaded to the Google Play store in September 2021, it was free from any malicious elements, but the situation changed when a version 1.3.8 update was released in August 2022, making it possible to detect malicious elements.
As a result of the malicious code added to the app, the open source AhMyth Android RAT (remote access trojan) malware is able to steal data from devices, including contacts, SMS messages, call logs, browser histories, device location, and screenshots. However, the developer’s customized version, which ESET referred to as AhRat, had a limited range of features.
A particularly insidious aspect of AhRat is its ability to record audio from the device’s microphone every 15 minutes and upload it to the attacker’s command and control server.
There were only six of the app’s 18 capabilities implemented, suggesting AhRat was still a work in progress that might have included some of the extra functionality found in AhMyth, such as keylogging, location tracking, and screen recording.
The app was not only downloaded over 50,000 times, but it also had a respectable 4.2-star rating on Google Play, likely due to its long track record of safety. The presence of considerable user criticism along with a low score can be a red flag.
An unusual characteristic of this device is its ability to record and send audio at short intervals.
Stefanko suggests that it could be part of an espionage campaign, especially given that the open-source AhMyth tool had previously been used by Transparent Tribe, a group known for targeting government and military organizations in South Asia.
Despite this, there is no evidence that AhRat belongs to that group, nor is it clear whether the app was designed to monitor a specific group of individuals.
Developer Coffeeholic Dev did have other apps on the store that did not display any signs of malware, but those elements could have been added at a later date, as with iRecorder – Screen Recorder. As Google has removed all of their apps, we will not be able to find out.
Bitcoin Price Reaches a ‘Decision Point’ – 4 Metrics To Watch