'iRecorder Screen Recorder' App Turns Malicious, Sends Mic Recordings Every 15 Minutes (arstechnica.com) 31
An anonymous reader quotes a report from Ars Technica: An app that had more than 50,000 downloads from Google Play surreptitiously recorded nearby audio every 15 minutes and sent it to the app developer, a researcher from security firm ESET said. The app, titled iRecorder Screen Recorder, started life on Google Play in September 2021 as a benign app that allowed users to record the screens of their Android devices, ESET researcher Lukas Stefanko said in a post published on Tuesday. Eleven months later, the legitimate app was updated to add entirely new functionality. It included the ability to remotely turn on the device mic and record sound, connect to an attacker-controlled server, and upload the audio and other sensitive files that were stored on the device.
The secret espionage functions were implemented using code from AhMyth, an open source RAT (remote access Trojan) that has been incorporated into several other Android apps in recent years. Once the RAT was added to iRecorder, all users of the previously benign app received updates that allowed their phones to record nearby audio and send it to a developer-designated server through an encrypted channel. As time went on, code taken from AhMyth was heavily modified, an indication that the developer became more adept with the open source RAT. ESET named the newly modified RAT in iRecorder AhRat.
Stefanko installed the app repeatedly on devices in his lab, and each time, the result was the same: The app received an instruction to record one minute of audio and send it to the attacker's command-and-control server, also known colloquially in security circles as a C&C or C2. Going forward, the app would receive the same instruction every 15 minutes indefinitely. [...] Stefanko said it's possible that iRecord is part of an active espionage campaign, but so far, he has been unable to determine if that's the case. "Unfortunately, we don't have any evidence that the app was pushed to a particular group of people, and from the app description and further research (possible app distribution vector), it isn't clear if a specific group of people was targeted or not," he wrote. "It seems very unusual, but we don't have evidence to say otherwise."
The secret espionage functions were implemented using code from AhMyth, an open source RAT (remote access Trojan) that has been incorporated into several other Android apps in recent years. Once the RAT was added to iRecorder, all users of the previously benign app received updates that allowed their phones to record nearby audio and send it to a developer-designated server through an encrypted channel. As time went on, code taken from AhMyth was heavily modified, an indication that the developer became more adept with the open source RAT. ESET named the newly modified RAT in iRecorder AhRat.
Stefanko installed the app repeatedly on devices in his lab, and each time, the result was the same: The app received an instruction to record one minute of audio and send it to the attacker's command-and-control server, also known colloquially in security circles as a C&C or C2. Going forward, the app would receive the same instruction every 15 minutes indefinitely. [...] Stefanko said it's possible that iRecord is part of an active espionage campaign, but so far, he has been unable to determine if that's the case. "Unfortunately, we don't have any evidence that the app was pushed to a particular group of people, and from the app description and further research (possible app distribution vector), it isn't clear if a specific group of people was targeted or not," he wrote. "It seems very unusual, but we don't have evidence to say otherwise."
AI maybe (Score:3)
Re: (Score:2)
Thought of that, but randomly recording people / tv / background noises every 15 mins, and in many different languages, and listening to every single recording to make sure it's relevant to your LLM model, and getting a bunch of people to transcribe everything for the training, its going to be very resource intensive (manpower, language skills, etc).
Not something that the average developer can afford.
Re: AI maybe (Score:2)
I hope they had to wade through endless fart and vomit noises, and Karen screams to get to anything "good".
Re: Who would even want that? (Score:3)
I doubt it is a coincidence that the ease of processing this with machine learning increased around time of this polling.
Anyway, the answer is "they wrote a program to analyze this for whatever purpose they want"
Old joke (Score:2, Offtopic)
Check the "What's New" (Score:4, Funny)
That update probably wasn't listed in the "What's New" section.
Re:Check the "What's New" (Score:4, Insightful)
This is why one should always check the "Permissions" tab (the only bit of truth, which Google tried to delete) before installing an app.
But this reveals a second problem: Google putting holes in its 'security' with less precise permissions that allow software to access multiple services with one screen-tap from the user. (Also, a lack of passwords on Play Store means anyone with physical access can download an applet and provide permission to access PII.)
Also, scope-creep (Remember when applets became voice-activated?), requiring the user to give unnecessary permissions to all Google applets, then their other applets, which adopted the same scope-creep.
Re: (Score:2)
I'd be interested if Google will cut this feature.
And the app is now removed from the app store. How many people still have it installed?
Re: Check the "What's New" (Score:2)
They turned evil. So they get the rain of fists and kicks down on themselves.
This is also a warning that a once legitimate development house can "turn evil" well beyond the standard adding of run of the mill privacy invasion and telemetry. :-\
And now you know why I always disable autoupdate (Score:4, Insightful)
If it works and you have confidence in one version, leave it alone.
Re: (Score:2)
The users who installed it after it became malware had the same confidence as the users who installed it before it was malware.
Unintentional malware (security holes) are more common than intentional malware, and refusing updates puts you at risk for that.
Re: (Score:2)
Unintentional malware (security holes) are more common than intentional malware, and refusing updates puts you at risk for that.
That's the theory.
But I'll tell you what my experience is with new versions (not just online) since programmers started getting sloppy with CPU and memory in the 90s: for every update that fixes something or introduces a nice new feature, there are 5 updates that fuck up something that used to work and drive you mad.
On top of that, since stealing people's private data became profitable, there's a very high probability that any new anything from Google, Microsoft or any other big data player, big or small, c
Re: (Score:2)
Google/MS spyware is a done deal if you're using any of their platforms. Stopping updates won't help unless you stopped them back in the Windows XP era. Of course, Microsoft usually finds other ways to regress...
"Don't use it" is the only real solution to most of this stuff. Especially anything on a smartphone. Whenever some, for example fast food place, tells me I should install their app I tell them fuck you. When I notice their app is the only way to get reasonable prices anymore (McDonald's), I stop doi
Re: (Score:2)
"Don't use it" is the only real solution to most of this stuff.
That's reasonable, until there is no alternative to what you refuse to use. And then you have to use it.
You can't choose not to "use" Google. Google has inserted itself in every nook and cranny of the internet. If you block all of Google, virtually all websites stop working.
You can't choose not to "use" CloudFlare: they too stand between a goodly portion of the internet and you. If you don't like their captchas or their surveillance, you lose access to that massive portion of the internet.
You can't choose n
Sandbox vs walled garden (Score:1)
It's NOT A BUG (Score:2)
What's the difference with Windows ? (Score:1, Troll)
Once Microsoft was allowed to get away with this shit, why shouldn't any bunch of evil cunts be allowed to do it?
https://support.microsoft.com/en-us/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319
Re: (Score:2)
They aren't allowed to do it. Google booted them from the Play store and sent an update to every Android phone that uninstalled it.
Re: (Score:2)
This is wrong. (Score:1)
Says Morgan Freeman's voice in your head.
someone hurry up and remind me (Score:1)
how wonderful android is! yes i'd much rather run the risk of this than be nice and safe inside my beautiful garden :)
Re: someone hurry up and remind me (Score:2)
It really isn't your garden. You are simply chained up in there.
That's nice but (Score:4, Insightful)
Who is the developer and what is their location?
Re: That's nice but (Score:2)
Someone will doxx them soon enough.
Not possible on iOS (Score:1, Insightful)
Nonsense like this is why the SDK does not even make it possible to record audio/video when app is in the background.
Net Cops tv show (Score:2)
"You filthy dirty rat, you will be going away for a long time."
iScreen recorder app developer "F[bleep] you! F[bleep] you! [bleep] [bleep] [bleep] [bleep] [bleep] [bleep] [bleep]!"