The iRecorder Android app targeted its users with AhRAT malware

Attention Android users! If you have ever installed iRecorder app on your phone then now is the time to uninstall it as it might be spying on your device. Researchers found that iRecorder app suddenly became malicious as it infected the target Android devices with AhRAT malware.

The iRecorder app secretly bombarded Android users with AhRAT malware

According to a recent report by ESET, their researchers found malicious activity related to the iRecorder app on the Play Store. Specifically, they observed iRecorder deploying AhRAT spy malware on the respective Android devices.

What is special about this latest malicious campaign is that the threat actors appear to have waited quite a while before exploiting users. As observed, the iRecorder app first appeared on the Google Play Store in September 2021. At that time, the app did not contain any malicious code. And it remained harmless, functioning simply as a screen recording app until August 2022, when it suddenly started spreading malware.

With version 1.3.8, iRecorder started deploying AhRAT RAT on the devices to monitor users’ activities. In short, the researchers analyzed AhRAT as a new remote access Trojan based on the open-source Android RAT AhMyth.

After getting infected with Trojan horse, the app started to work maliciously and performed many sneaky activities in the background. While it continued to function as a screen recorder, it also began extracting users’ ambient sounds via the device’s microphone and stealing saved documents (files with certain extensions) from the device. It would then transmit all exfiltrated data to its C&C.

READ :  Godfather Android malware targets users of 400 banks and crypto exchanges

Google has removed iRecorder from the Play Store

According to the researchers’ report, Google has removed the malicious app from the Play Store. However, the app had already recorded over 50,000 downloads by then, which shows the extent of the AhRAT infection.

However, the iRecorder app appeared to be a single instance that deployed the AhRAT malware. The researchers could not observe any other app related to this campaign. Also, they could not attribute the activity to a specific group of threat actors. However, according to ESET, the specific malicious nature of the app points to cyber espionage.

For now, users who are still running the iRecorder app on their devices must remove it immediately to stop the malware activity. Also, users are always required to download apps from well-known developers to avoid becoming victims of such scams.

Let us know your thoughts in the comments.