After nearly a yr of working correctly and being cleanly distributed by means of the Play Retailer, a well-liked Android display screen recording app has turned on its customers, recording their calls, stealing information, and even listening in to the sounds of the machine’s setting.

Cybersecurity researchers from ESET discovered the app, named iRecorder – Display screen Recorder, which was added to the Play Retailer in September 2021, turned bitter in August 2022. 

Within the yr earlier than malicious code was apparently added, greater than 50,000 folks had downloaded the app, the report mentioned. 

Unknown motives

The malware that was subsequently added relies on the open-source AhMyth Android Distant Entry Trojan (RAT), however was closely modified. ESET says whoever modified the code took their time to know the code of each the app and the again finish. ESET’s researchers dubbed the malware AhRat.

The risk actors behind the compromise are unknown, and so are their motives. However given the functionalities of AhRat, all issues level to an espionage marketing campaign, the researchers mentioned. In spite of everything, moreover the display screen recording characteristic (which isn’t malicious), the app can document ambient audio picked up by the endpoint’s microphone, and exfiltrate information reminiscent of saved internet pages, photos, audio, video, doc information, and extra.

“The AhRat analysis case serves as a very good instance of how an initially reputable software can rework right into a malicious one, even after many months, spying on its customers and compromising their privateness. Whereas it’s doable that the app developer had meant to construct up a consumer base earlier than compromising their Android gadgets by means of an replace or {that a} malicious actor launched this alteration within the app; up to now, we now have no proof for both of those hypotheses,” ESET researcher Lukáš Štefanko mentioned. 

In different phrases, there’s a slight probability the app was taken over by malicious actors and utilized in a provide chain assault.

The iRecorder app variations 1.3.eight and older usually are not malicious, it was mentioned, however for those who up to date it within the meantime, likelihood is – you’ve been compromised. The worst half is that the victims didn’t even have to grant the app any additional permissions. The app has since been faraway from the Play Retailer.

• Try the very best firewalls proper now