In the fast-paced, ever-changing digital ecosystem, what serves as a useful tool today can easily become a threat tomorrow. A prime example of this unexpected transformation is the Android application, iRecorder – Screen Recorder. Released in September 2021, the app started as a reliable tool, gaining popularity among Android users for its screen recording features.

The Dark Transformation of iRecorder

iRecorder, with over 50,000 installs, was seen as a user-friendly application that fulfilled its purpose efficiently. However, this scenario changed drastically when the app was updated to version 1.3.8 in August 2022. This update saw the app morph from a helpful tool to a potent Trojan horse. It began to harbor an Android remote access Trojan (RAT) based on AhMyth, an open-source remote administration tool infamous for enabling unauthorized access to data on an Android device.

The cybersecurity company ESET uncovered this transformation on May 23, 2023. The researchers at ESET have christened this particular RAT as AhRat. Equipped with the ability to extract files with specific extensions and microphone recordings, AhRat can upload these data to the attacker’s command and control (C2) server. The unsuspecting user becomes a victim, with their sensitive data in the hands of unknown attackers.

The real concern about this particular incident is the embedding of malicious code into an application that was initially legitimate. Such tactics are uncommon in the world of cyber threats, making it difficult for average users to identify malicious apps. Adding another layer to this enigma is the known link between AhMyth and a group called Transparent Tribe, also referred to as APT36. This group has a reputation for its sophisticated social engineering techniques. Despite this, ESET researchers could not conclusively attribute this incident to any specific group or established advanced persistent threat (APT) actor.

Google’s Swift Response

Upon being informed by ESET, Google immediately removed the iRecorder app from the Play Store. Yet, despite this action, the app remains available on alternative Android markets, presenting a lingering threat. Furthermore, the developer behind iRecorder has other applications available on Google Play, none of which have been found to contain harmful code, suggesting a cautious approach towards these applications.

• iBlock (com.tsoft.app.iblock.ad)
• iCleaner (com.isolar.icleaner)
• iEmail (com.tsoft.app.email)
• iLock (com.tsoft.app.ilock)
• iVideoDownload (com.tsoft.app.ivideodownload)
• iVPN (com.ivpn.speed)
• File speaker (com.teasoft.filespeaker)
• QR Saver (com.teasoft.qrsaver)

The case of iRecorder – Screen Recorder is a chilling reminder that even the most trusted apps can turn rogue. Cybercriminals injecting malicious code can convert a popular, legitimate app into a dangerous tool for cybercrime. Should your device be infected with AhRat via this app, a wide variety of your files, from personal photos and videos to important documents and saved web pages, could be stolen.

Ensuring User Safety in the Android Ecosystem

To protect against such threats, it’s crucial to keep your Android operating system updated to the latest version. Google has implemented preventive measures like the ‘App hibernation’ feature, which suspends dormant apps, resetting their permissions, and mitigating potential risks. Also, consider using a reliable Android antivirus app that can constantly scan your smartphone for malware and other viruses, providing an additional layer of security.

Conclusion

This incident underscores the need for vigilance and proactive measures in our digital journey. By staying informed about the latest cybersecurity threats, we can ensure that we navigate the digital world safely and securely.