The other side of this equation is that mobile threat groups have found ways around the protection in the Play Store and on the phones. For the Play Store a popular method of insertion is simple versioning. A malicious individual uploads a legitimate project, then after several versions assembles the needed malicious function without triggering alarms. Another is to not have any malicious code in the app, but to have it perform an API at a predetermined time to grab and execute a malicious package. Still another is to ask the user for additional permissions on the device to “unlock” features, this allows the attacker to download and install what they want by abusing privileged internal systems in the OS.
These are not the only methods used to get around protection in the Play Store, but it is the first one, versioning, that we will be talking about today. The popular app iReocrder – Screen Recorder, was removed from the Play Store after it was found to contain a data stealing malicious component. This new “feature” was added to the APK after being in the Play Store for almost a year. With 50,000 downloads as of its removal, it is on a lot of devices. The first iteration was uploaded in September of 2021 with the malicious component believed to have been added in August of 2022 in version 1.3.8. This means that the malicious capability of the app has been in the Play Store for nine months. To add insult to injury, iRecorder was flagged by Kaspersky as having a variant of the AhMyth RAT (Remote Access Trojan) in October of 2022.
The particular variant of AhMyth appears to be specific to capturing microphone recordings as well as files on the device. During the installation the application request the permissions to access these features as part of its functions. The access does make sense in the context of the app, making it rather clever. The developer responsible for the iRecorder app is Coffeeholic Dev, and while we cannot say for certain that there are any other malicious apps or indeed that this developer is responsible for the malicious code (it could be a compromised account after all), we would advise people to steer clear of apps from this developer for the time being. So far Google has removed all other apps from this developer from the Play Store, but it would not be a bad idea to make sure you do not have any of them installed on your phone. Stay safe out there.