Home Latest Cyber Security News | Network Security Hacking iRecorder Android App Targeted Its Users With AhRAT Malware

iRecorder Android App Targeted Its Users With AhRAT Malware

by Abeerah Hashim
Mandrake Android Malware Creeps Up On Google Play Store Again

Heads up, Android users! If you ever installed the iRecorder app on your phone, it’s time to uninstall it now, as it might be spying on your device. Researchers found the iRecorder app suddenly turned malicious as it infected the target Android devices with AhRAT malware.

iRecorder App Sneakily Barraged Android Users With AhRAT Malware

According to a recent report from ESET, their researchers found malicious activities associated with the iRecorder app on Play Store. Specifically, they observed iRecorder deploying AhRAT spying malware on the respective Android devices.

What’s peculiar in this recent malicious campaign is that the threat actors seemingly waited for quite some time before preying on the users. As observed, the iRecorder app first appeared on the Google Play Store in September 2021. At that time, the app had no malicious codes. And it remained harmless, functioning as a mere screen recording app until August 2022, after which it suddenly started deploying malware.

With version 1.3.8, iRecorder began deploying AhRAT RAT on the devices to monitor users’ activities. Briefly, AhRAT, as the researchers analyzed, is a new remote access trojan based on the open-source AhMyth Android RAT.

After becoming trojanized, the app started functioning maliciously, performing many sneaky activities in the background. While it continued to serve as a screen recorder, it also began extracting users’ surroundings’ sounds via the device’s microphone and stealing stored documents (files with specific extensions) from the device. It would then transmit all the exfiltrated data to its C&C.

Google Removed iRecorder From The Play Store

Following the researchers’ report, Google removed the malicious app from the Play Store. However, until then, the app already garnered over 50,000 downloads, indicating the extent of AhRAT’s infection.

However, the iRecorder app seemed to be a single instance deploying the AhRAT malware. The researchers could observe no other app associated with this campaign. Also, they could not link the activity to any specific threat actor group. However, according to ESET, the specificity of the app’s maliciousness hints at some cyber espionage.

For now, users still running the iRecorder app on their devices must remove it immediately to stop the malware activity. Also, users must always download apps from known developers to avoid falling prey to such scams.

Let us know your thoughts in the comments.

You may also like