Google Removed iRecorder App, Warns Android Users About its Malicious Tracking

Despite Google best efforts to keep android safe from malware and other harmful apps and programmes, an Android app has turned rogue over a year after it was released through Google's Play Store, according to security experts.

An Android app called "iRecorder – Screen Recorder" started collecting user data without their explicit permission almost a year after it was launched on the Play Store without hiding any malicious code, according to security researchers at ESET (via The Verge).

The app, according to the researchers, was released to the Play Store on September 19, 2021. Very nearly a year after the fact in August 2022, the engineers of the application carried out variant 1.3.8 of the application, following which the vindictive way of behaving began.

What is the app's purpose?

The scientists say that separated from giving genuine screen recording usefulness, the vindictive iRecorder application can record encompassing sound from a telephone's mouthpiece and transfer it to the assailant's order and control (C&C) server.

It can also upload files from the device that have extensions that represent saved web pages, images, audio, video, and document files. It can also upload file formats that are used to compress multiple files.

How does the app steal data?

When it was first launched, the app did not have any malicious code, as previously mentioned. Close to 12 months after its rollout, the designers infused vindictive code in the application, which was when things turned out badly. The open-source AhMyth Android RAT (remote access trojan) that the researchers referred to as AhRat was used as the foundation for the malicious code that was added to the app.

AhMyth RAT, the original trojan, can exfiltrate call logs, contacts, and text messages. It can also get a list of files on the device, find the location of the device, send SMS messages, record audio, and take pictures. AhRat also came with similar capabilities, by extension.

According to the researchers, all of these app permissions would have raised suspicion. However, they are compatible with any screen recording application. Therefore, the app's malicious code was installed by the developers without the need for additional permission.

The researchers added, "Upon installation, the malicious app behaved as a normal app without any special additional permission requests that might have revealed its malicious intentions."

The trojan was sending files that represented web pages, images, audio, video, and document files to its developers. These files included zip, rar, jpg, jpeg, jpeg, jif, jfif, jfi, png, mp3, mp4, mkv, 3gp, m4v, mov, avi, gif, webp, tiff, tif, heif, heic, b

What is Google doing about it?

The app's malicious behavior was flagged by ESET researchers to Google, who then removed it from the Play Store. Notwithstanding, when, the application had previously been downloaded multiple times.