New Android Malware on Google Play Store with Over 50,000 Installs

The cybersecurity researchers at ESET recently made a significant discovery, a previously unidentified remote access trojan (RAT) lurking within an Android screen recording app, available for download on the Google Play Store and already amassed tens of thousands of installations.

The ‘iRecorder – Screen Recorder’ app, initially introduced in September 2021, was potentially compromised through a malicious update in August 2022, utilizing its name to deceive users by requesting audio recording and file access permissions under the guise of a legitimate screen recording application.

While apart from this, the app has achieved more than 50,000 installations on the Google Play Store before its removal, raising the concern for users of exposure to malware infection.

After being notified, iRecorder was removed from the Google Play store due to its malicious behavior, but it can still be obtained from unofficial Android markets.

In addition to offering other applications on Google Play, the developer of iRecorder ensures that their apps are free from any malicious code or harmful elements.

Android Malware on Google Play

The malware known as AhRat, derived from the open-source Android RAT AhMyth, has extensive capabilities encompassing device tracking and more.

Here below, we have mentioned all the capabilities it offers to its operators:-

  • Location
  • Stealing call logs
  • Contacts
  • Text messages
  • Sending SMS messages
  • Taking pictures
  • Recording background audio

ESET discovered that the malicious screen recording app utilized only a portion of the RAT’s functions, focusing on capturing ambient sound and stealing files of certain extensions, suggesting potential involvement in espionage.

Moreover, ESET previously exposed a case in 2019 where AhMyth-based Android malware successfully evaded Google Play’s security checks twice by disguising itself as a radio streaming app, highlighting a recurring issue with AhMyth infiltration on the platform.

AhRat initiates communication with the C&C server upon installation by sharing essential device details while simultaneously receiving encryption keys and a configuration file in encrypted form.

Following the initial communication, AhRat establishes a regular connection with the C&C server, sending periodic pings every 15 minutes to request an updated configuration file.

AhRat is designed to execute 18 commands based on the instructions received in the configuration file from the C&C server. But, the RAT can execute the six commands only exclusively that we have mentioned below:-

  • RECORD_MIC
  • FILE_LIST
  • UPLOAD_FILE_AFTER_DATE
  • LIMIT_UPLOAD_FILE_SIZE
  • UPLOAD_FILE_TYPE
  • UPLOAD_FILE_FOLDER

However, Android 11 and subsequent versions have already incorporated proactive measures such as App hibernation to safeguard against such malicious activities.

The hibernation feature resets runtime permissions of dormant apps, preventing their intended malicious activities, and the subsequent removal of the malicious app from Google Play reinforces the importance of multi-layered protection.

Shut Down Phishing Attacks with Device Posture Security – Download Free E-Book

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …

13 hours ago

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…

14 hours ago

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…

15 hours ago

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…

16 hours ago

Careto – A legendary Threat Group Targets Windows By Deploy Microphone Recorder And Steal Files

Recent research has linked a series of cyberattacks to The Mask group, as one notable…

16 hours ago

RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…

16 hours ago