A Google Play Store application recorded a minute of the users' screen every 15 minutes and forwarded it to the developers' servers through an encrypted link. The app started as an innocent screen recording app but turned evil after an update in August last year.
Audio Recording Without Consent
iRecorder Screen Recorder allowed users to record the screen of their Android devices every 15 minutes and sent it to the app developer. According to a report from The Verge, the application had more than 50,000 downloads from Google Play Store since the app first came out in September 2021.
Eleven months after its release, the app released an update, including the ability to remotely turn on the device mic and record sound, connect to an attacker-controlled serve, and upload the audio and other sensitive files stored on the device. But this is also where it began the surreptitious recording every 15 minutes without consent from users.
Essential Security against Evolving Threats Researcher Lukas Stefanko found that these recordings were implemented using code from AhMyth Android Remote Access Trojan, which has been incorporated into several applications on Google Play Store in recent years. Once it was added, all users of iRecorder received an update that allowed this to happen.
The code taken from AhMyth was heavily modified as time passes by, which indicates that the developer mastered the open-source RAT. Despite these threats, apps with AhMyth embedded in them (including iRecorder) made it past Google's filters before. In fact, the app was removed with 50,000 downloads already.
Testing the App
Stefanko installed the application repeatedly on devices in his lab to examine the application, which gave the same results every time. The app was given an instruction to record one minute of audio and send it to the command-and-control server, C&C or C2 for colloquial terms in security circles.
During the analysis, ArsTechnica reported that the researcher found that the config file always returned the command to record audio, which means it turned the mic on, capture the audio, and sent it to C2. The test received three to four times of attempts to repeat the process before he stopped the malware.
Possible Motive
The possible reason why iRecord is doing this is that the application is part of an active espionage campaign but the researchers were unable to determine if this might be the case. The researcher believed that it seems very unusual for the app to have not a motive as it sends their obtained audio to attackers.
"Unfortunately, we don't have any evidence that the app was pushed to a particular group of people, and from the app description and further research (possible app distribution vector), it isn't clear if a specific group of people was targeted or not," Stefanko noted in a blog post.