Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Android Security

'iRecorder Screen Recorder' App Turns Malicious, Sends Mic Recordings Every 15 Minutes (arstechnica.com) 31

An anonymous reader quotes a report from Ars Technica: An app that had more than 50,000 downloads from Google Play surreptitiously recorded nearby audio every 15 minutes and sent it to the app developer, a researcher from security firm ESET said. The app, titled iRecorder Screen Recorder, started life on Google Play in September 2021 as a benign app that allowed users to record the screens of their Android devices, ESET researcher Lukas Stefanko said in a post published on Tuesday. Eleven months later, the legitimate app was updated to add entirely new functionality. It included the ability to remotely turn on the device mic and record sound, connect to an attacker-controlled server, and upload the audio and other sensitive files that were stored on the device.

The secret espionage functions were implemented using code from AhMyth, an open source RAT (remote access Trojan) that has been incorporated into several other Android apps in recent years. Once the RAT was added to iRecorder, all users of the previously benign app received updates that allowed their phones to record nearby audio and send it to a developer-designated server through an encrypted channel. As time went on, code taken from AhMyth was heavily modified, an indication that the developer became more adept with the open source RAT. ESET named the newly modified RAT in iRecorder AhRat.

Stefanko installed the app repeatedly on devices in his lab, and each time, the result was the same: The app received an instruction to record one minute of audio and send it to the attacker's command-and-control server, also known colloquially in security circles as a C&C or C2. Going forward, the app would receive the same instruction every 15 minutes indefinitely. [...] Stefanko said it's possible that iRecord is part of an active espionage campaign, but so far, he has been unable to determine if that's the case. "Unfortunately, we don't have any evidence that the app was pushed to a particular group of people, and from the app description and further research (possible app distribution vector), it isn't clear if a specific group of people was targeted or not," he wrote. "It seems very unusual, but we don't have evidence to say otherwise."

This discussion has been archived. No new comments can be posted.

'iRecorder Screen Recorder' App Turns Malicious, Sends Mic Recordings Every 15 Minutes

Comments Filter:
  • Old joke (Score:2, Offtopic)

    by SpzToid ( 869795 )
    This news reminds me of the old joke, "Microsoft Outlook is a massive security risk that doubles as an email client."
  • by martinX ( 672498 ) on Wednesday May 24, 2023 @07:19PM (#63549273)

    Eleven months later, the legitimate app was updated to add entirely new functionality. It included the ability to remotely turn on the device mic and record sound, connect to an attacker-controlled server, and upload the audio and other sensitive files that were stored on the device.

    That update probably wasn't listed in the "What's New" section.

    • by NotEmmanuelGoldstein ( 6423622 ) on Thursday May 25, 2023 @05:19AM (#63549891)

      ... listed in the "What's New" ...

      This is why one should always check the "Permissions" tab (the only bit of truth, which Google tried to delete) before installing an app.

      But this reveals a second problem: Google putting holes in its 'security' with less precise permissions that allow software to access multiple services with one screen-tap from the user. (Also, a lack of passwords on Play Store means anyone with physical access can download an applet and provide permission to access PII.)

      Also, scope-creep (Remember when applets became voice-activated?), requiring the user to give unnecessary permissions to all Google applets, then their other applets, which adopted the same scope-creep.

      • by Askmum ( 1038780 )
        Not only that, think of the gazillions of people that have auto-update for every app. If an app goes rogue, it just gets updated and most users never know about this.

        I'd be interested if Google will cut this feature.

        And the app is now removed from the app store. How many people still have it installed?

    • They turned evil. So they get the rain of fists and kicks down on themselves.

        This is also a warning that a once legitimate development house can "turn evil" well beyond the standard adding of run of the mill privacy invasion and telemetry. :-\

  • by Rosco P. Coltrane ( 209368 ) on Wednesday May 24, 2023 @07:29PM (#63549293)

    If it works and you have confidence in one version, leave it alone.

    • The users who installed it after it became malware had the same confidence as the users who installed it before it was malware.

      Unintentional malware (security holes) are more common than intentional malware, and refusing updates puts you at risk for that.

      • Unintentional malware (security holes) are more common than intentional malware, and refusing updates puts you at risk for that.

        That's the theory.

        But I'll tell you what my experience is with new versions (not just online) since programmers started getting sloppy with CPU and memory in the 90s: for every update that fixes something or introduces a nice new feature, there are 5 updates that fuck up something that used to work and drive you mad.

        On top of that, since stealing people's private data became profitable, there's a very high probability that any new anything from Google, Microsoft or any other big data player, big or small, c

        • Google/MS spyware is a done deal if you're using any of their platforms. Stopping updates won't help unless you stopped them back in the Windows XP era. Of course, Microsoft usually finds other ways to regress...

          "Don't use it" is the only real solution to most of this stuff. Especially anything on a smartphone. Whenever some, for example fast food place, tells me I should install their app I tell them fuck you. When I notice their app is the only way to get reasonable prices anymore (McDonald's), I stop doi

          • "Don't use it" is the only real solution to most of this stuff.

            That's reasonable, until there is no alternative to what you refuse to use. And then you have to use it.

            You can't choose not to "use" Google. Google has inserted itself in every nook and cranny of the internet. If you block all of Google, virtually all websites stop working.

            You can't choose not to "use" CloudFlare: they too stand between a goodly portion of the internet and you. If you don't like their captchas or their surveillance, you lose access to that massive portion of the internet.

            You can't choose n

  • Just a quick Google and https://nordvpn.com/blog/ios-v... [nordvpn.com] There’s just more cat poop in a sandbox.
  • It's A FEATURE !
  • "iRecorder Screen Recorder uses diagnostic data to keep iRecorder Screen Recorder secure and up to date, troubleshoot problems, and make product improvements as described in more detail below."

    Once Microsoft was allowed to get away with this shit, why shouldn't any bunch of evil cunts be allowed to do it?

    https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319
  • Says Morgan Freeman's voice in your head.

  • by Anonymous Coward

    how wonderful android is! yes i'd much rather run the risk of this than be nice and safe inside my beautiful garden :)

  • That's nice but (Score:4, Insightful)

    by Vinegar Joe ( 998110 ) on Thursday May 25, 2023 @08:17AM (#63550153)

    Who is the developer and what is their location?

  • Nonsense like this is why the SDK does not even make it possible to record audio/video when app is in the background.

  • "You filthy dirty rat, you will be going away for a long time."

    iScreen recorder app developer "F[bleep] you! F[bleep] you! [bleep] [bleep] [bleep] [bleep] [bleep] [bleep] [bleep]!"

% APL is a natural extension of assembler language programming; ...and is best for educational purposes. -- A. Perlis

Working...