Skip to content
BAIT AND SWITCH

Legit app in Google Play turns malicious and sends mic recordings every 15 minutes

The malicious iRecorder app has come to light, but its purpose remains shrouded.

Dan Goodin | 51
Credit: Getty Images
Credit: Getty Images
Story text

An app that had more than 50,000 downloads from Google Play surreptitiously recorded nearby audio every 15 minutes and sent it to the app developer, a researcher from security firm ESET said.

The app, titled iRecorder Screen Recorder, started life on Google Play in September 2021 as a benign app that allowed users to record the screens of their Android devices, ESET researcher Lukas Stefanko said in a post published on Tuesday. Eleven months later, the legitimate app was updated to add entirely new functionality. It included the ability to remotely turn on the device mic and record sound, connect to an attacker-controlled server, and upload the audio and other sensitive files that were stored on the device.

Surreptitious recording every 15 minutes

The secret espionage functions were implemented using code from AhMyth, an open source RAT (remote access Trojan) that has been incorporated into several other Android apps in recent years. Once the RAT was added to iRecorder, all users of the previously benign app received updates that allowed their phones to record nearby audio and send it to a developer-designated server through an encrypted channel. As time went on, code taken from AhMyth was heavily modified, an indication that the developer became more adept with the open source RAT. ESET named the newly modified RAT in iRecorder AhRat.

Stefanko installed the app repeatedly on devices in his lab, and each time, the result was the same: The app received an instruction to record one minute of audio and send it to the attacker’s command-and-control server, also known colloquially in security circles as a C&C or C2. Going forward, the app would receive the same instruction every 15 minutes indefinitely. In an email, he wrote:

During my analysis, AhRat was actively capable of exfiltrating data and recording microphone (a couple of times I removed the app and reinstalled, and the app always behaved the same).

Data exfiltration is enabled based on the commands in [a] config file returned from [the] C&C. During my analysis, the config file always returned the command to record audio which means [it] turned on the mic, captured audio, and sent it to the C2.

It happened constantly in my case, since it was conditional to commands that were received in the config file. Config was received every 15 minutes and record duration set to 1 minute. During analysis, my device always received commands to record and send mic audio to C2. It occurred 3-4 times, then I stopped the malware.

Malware laced in apps available on Google servers is hardly new. Google doesn’t comment when malware is discovered on its platform beyond thanking the outside researchers who found it and saying the company removes malware as soon as it learns of it. The company has never explained what causes its own researchers and automated scanning process to miss malicious apps discovered by outsiders. Google has also been reluctant to actively notify Play users once it learns they were infected by apps promoted and made available by its own service.

What is more unusual in this case is the discovery of a malicious app that actively records such a wide base of victims and sends their audio to attackers. Stefanko said it’s possible that iRecord is part of an active espionage campaign, but so far, he has been unable to determine if that’s the case.

“Unfortunately, we don’t have any evidence that the app was pushed to a particular group of people, and from the app description and further research (possible app distribution vector), it isn’t clear if a specific group of people was targeted or not,” he wrote. “It seems very unusual, but we don’t have evidence to say otherwise.”

RATs give attackers a secret backdoor on infected platforms so they can go on to install or uninstall apps, steal contacts, messages, or user data, and monitor devices in real time. AhRat isn’t the first such Android RAT to use the open source code from AhMyth. In 2019, Stefanko reported finding an AhMyth-implemented RAT in Radio Balouch, a fully working streaming radio app for enthusiasts of Balochi music, which hails from southeastern Iran. That app had a significantly smaller install base of just 100-plus Google Play users.

A prolific threat group that has been active since at least 2013 has also used AhMyth to backdoor Android apps that targeted military and government personnel in India. There’s no indication that the threat group—tracked by researchers under the names Transparent Tribe, APT36, Mythic Leopard, ProjectM, and Operation C-Major—ever spread the app through Google Play, and the infection vector remains unclear.

Significant effort from an unknown threat group

Stefanko said the first version of iRecorder to include the malicious functionality was 1.3.8, which was made available in August 2022. In Tuesday’s post, the researcher wrote:

During our analysis, we identified two versions of malicious code based on AhMyth RAT. The first malicious version of iRecorder contained parts of AhMyth RAT’s malicious code, copied without any modifications. The second malicious version, which we named AhRat, was also available on Google Play, and its AhMyth code was customized, including the code and communication between the C&C server and the backdoor. By the time of this publication, we have not observed AhRat in any other Google Play app or elsewhere in the wild, iRecorder being the only app that has contained this customized code.

AhMyth RAT is a potent tool, capable of various malicious functions, including exfiltrating call logs, contacts, and text messages, obtaining a list of files on the device, tracking the device location, sending SMS messages, recording audio, and taking pictures. However, we observed only a limited set of malicious features derived from the original AhMyth RAT in both versions analyzed here. These functionalities appeared to fit within the already defined app permissions model, which grants access to files on the device and permits recording of audio. Notably, the malicious app provided video recording functionality, so it was expected to ask for permission to record audio and store it on the device, as shown in Figure 2. Upon installation of the malicious app, it behaved as a standard app without any special extra permission requests that might have revealed its malicious intentions.

Once installed, the malicious iRecorder app connected to the attacker C2 and sent basic device information, and downloaded encryption keys and an encrypted configuration file, which appears below. The keys encrypt and decrypt the configuration file and some of the data exfiltrated from the infected device.

Communications between an AhRat-infected device and the C2. Credit: ESET

The customization of the AhMyth in the latter malicious version of iRecorder suggests that the developers put significant effort into the app on both the device and the backend C2 that controlled it. The latter malicious version of iRecorder had function names in the configuration file that indicated a wide range of capabilities, including:

  • RECORD_MIC*
  • CAPTURE_SCREEN
  • LOCATION
  • CALL_LOG
  • KEYLOG
  • NOTIFICATION
  • SMS
  • OTT
  • WIFI
  • APP_LIST
  • PERMISSION
  • CONTACT
  • FILE_LIST*
  • UPLOAD_FILE_AFTER_DATE*
  • LIMIT_UPLOAD_FILE_SIZE*
  • UPLOAD_FILE_TYPE*
  • UPLOAD_FILE_FOLDER*
  • SCHEDULE_INTERVAL

Of those 18 capabilities, only the six appearing in bold above had been implemented. Given the updated AhMyth implementation and the presence of incomplete commands, it’s possible that AhRat is a work in progress rather than a finished product.

Stefanko saw AhRat-infected devices receiving commands to exfiltrate files with extensions representing web pages, images, audio, video, and document files, and file formats including those with the extensions zip, rar, jpg, jpeg, jpe, jif, jfif, jfi, png, mp3, mp4, mkv, 3gp, m4v, mov, avi, gif, webp, tiff, tif, heif, heic, bmp, dib, svg, ai, eps, pdf, doc, docx, html, htm, odt, pdf, xls, xlsx, ods, ppt, pptx, and txt.

Exfiltrated files were limited to a size of 20MB and were located in the Download directory /storage/emulated/0/Download. The files were then uploaded to the C2 server, as seen in the figure below:

Files being exfiltrated from an AhRat-infected device to the C2. Credit: ESET

As checkered as Google’s track record is for keeping Play free of malware, Stefanko pointed out one recent improvement. A preventive measure available in Android versions 11 and higher implements app hibernation. The feature puts apps that have been dormant into a hibernation state that removes their previously granted runtime permissions. It’s not clear if any of the 50,000 infected devices made use of this protection.

Those who want to know if their device has been infected with AhRat can use the following indicators of compromise:

Files

SHA-1 Package name ESET detection name Description
C73AFFAF6A9372C12D995843CC98E2ABC219F162 com.tsoft.app.iscreenrecorder Android/Spy.AhRat.A AhRat backdoor.
E97C7AC722D30CCE5B6CC64885B1FFB43DE5F2DA com.tsoft.app.iscreenrecorder Android/Spy.AhRat.A AhRat backdoor.
C0EBCC9A10459497F5E74AC5097C8BD364D93430 com.tsoft.app.iscreenrecorder Android/Spy.Android.CKN AhMyth‑based backdoor.
0E7F5E043043A57AC07F2E6BA9C5AEE1399AAD30 com.tsoft.app.iscreenrecorder Android/Spy.Android.CKN AhMyth‑based backdoor.

Network

IP Provider First seen Details
34.87.78[.]222 Namecheap 2022-12-10 order.80876dd5[.]shop C&C server.
13.228.247[.]118 Namecheap 2021-10-05 80876dd5[.]shop:22222 C&C server.

MITRE ATT&CK Techniques

This table was built using version 12 of the MITRE ATT&CK framework.

Tactic ID Name Description
Persistence T1398 Boot or Logon Initialization Scripts AhRat receives the BOOT_COMPLETED broadcast intent to activate at device startup.
T1624.001 Event Triggered Execution: Broadcast Receivers AhRat functionality is triggered if one of these events occurs: CONNECTIVITY_CHANGE, or WIFI_STATE_CHANGED.
Discovery T1420 File and Directory Discovery AhRat can list available files on external storage.
T1426 System Information Discovery AhRat can extract information about the device, including device ID, country, device manufacturer and mode, and common system information.
Collection T1533 Data from Local System AhRat can exfiltrate files with particular extensions from a device.
T1429 Audio Capture AhRat can record surrounding audio.
Command and Control T1437.001 Application Layer Protocol: Web Protocols AhRat uses HTTPS to communicate with its C&C server.
Exfiltration T1646 Exfiltration Over C2 Channel AhRat exfiltrates stolen data over its C&C channel.

Little is known about the “Coffeeholic Dev,” the publisher of the iRecorder app in Play. Stefanko said other apps submitted by the same person or entity didn’t show signs of malice. By the time the ESET post went live on Tuesday, however, Google had removed not only iRecorder but all other traces of Coffeeholic Dev’s offerings.

“The AhRat research serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy,” Stefanko wrote. “While it is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses.”

Listing image: Getty Images

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
51 Comments
Prev story
Next story