An Android screen recorder application has been implicated in activities that jeopardize the security of its users. Going by the name of IRecorder, this Screen Recorder app discreetly records audio of user actions by gaining access to the microphone.

As per reports from ArsTechnica, the app has been engaging in these malicious activities since approximately one year after its initial release on the Google Play Store in 2021.

Specifically, following an update in August 2022, IRecorder started surreptitiously recording one minute of audio every 15 minutes and transmitting it to the app developer through an encrypted link.

This malevolent action was unearthed by Lukas Stefanco, a researcher from Essential Security Against Evolving (ESET), who documented his findings in a blog post.

Stefanco elaborated that this covert surveillance feature was implemented using code from Ahmyth, a Remote Access Trojan (RAT) that has infiltrated various Android applications.

Once the RAT is integrated, users of the infected app unwittingly receive an update that empowers their phones to record audio from their surroundings and forward the recordings to a server designated by the developer. ESET named the modified RAT used by the IRecorder app as AhRat.

"In the course of my analysis, AhRat consistently exhibited the capability to output data and record audio through the microphone. I uninstalled and reinstalled the application several times, yet it consistently displayed the same behavior," Stefanco wrote in an email received by Ars Technica, as quoted on Saturday (27/5/2023).

It is worth noting that the IRecorder Android application had garnered approximately 50,000 downloads at the time of reporting. However, the app has since been removed from the Play Store.

Stefanco further emphasized that the app, housing Ahmyth, had successfully evaded Google's filters previously, warranting increased vigilance.

The infiltration of malware into apps available on both the Play Store and App Store is not an unfamiliar occurrence. Regrettably, Google's efforts to combat this problem have seemingly been sluggish, as more similar issues are being discovered by external researchers.

Stefanco's blog post also sheds light on an issue that has become increasingly prevalent. It pertains to certain applications misusing the access and permissions granted by users for malicious purposes.

Drawing from the discovery of an actively data-recording app, Stefanco suggested the possibility of IRecorder being part of an active espionage group. However, this conjecture remains unconfirmed thus far.

RATs possess the capability to furnish malevolent actors with crucial information pertaining to infected devices. In fact, they can pilfer a user's contacts, messages, data, and even monitor the device in real-time.

AhRat is not the sole Android RAT that leverages the open-source framework of Ahmyth. In 2019, Stefanco also reported the discovery of a RAT within the Balouch Radio app.

The application was designed as a streaming radio service for enthusiasts of Balochi music from southeastern Iran. Nonetheless, the app only boasted a few hundred users when it was identified on the Google Store.

Additionally, Ahmyth's Android RAT has previously been exploited by specific attack groups to target military and government personnel in India. However, there is no indication that the group distributed the app via Google Play.

Guerrilla, a novel malware targeting Android devices, was recently uncovered by the security firm Trend Micro. This malware is said to have infected millions of Android devices globally.

According to Trend Micro, Guerrilla is capable of stealing personal information from victims, including passwords, credit card numbers, and other sensitive data. Furthermore, it can access and exfiltrate data from any application installed on the victim's device.

As per information from GizChina on Tuesday (23/5/2023), Trend Micro warned that this malware poses a significant threat since it can infect victims' devices even if they have installed the latest security updates.

The reason behind this lies in the fact that Guerrilla does not infect devices through applications but rather modifies the device's Read-Only Memory (ROM). The ROM serves as the fundamental software that runs on Android devices.