Google has eradicated a screen recording app named “iRecorder – Display screen Recorder” from the Enjoy Store right after it was discovered to sneak in facts stealing capabilities practically a yr soon after the application was released as an innocuous app.
The application (APK offer identify “com.tsoft.app.iscreenrecorder”), which accrued in excess of 50,000 installations, was 1st uploaded on September 19, 2021. The destructive operation is believed to have been introduced in edition 1.3.8, which was introduced on August 24, 2022.
“It is rare for a developer to add a legitimate application, wait practically a year, and then update it with destructive code,” ESET security researcher Lukáš Štefanko stated in a technical report.

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“The destructive code that was included to the thoroughly clean variation of iRecorder is primarily based on the open up source AhMyth Android RAT (distant obtain trojan) and has been custom-made into what we named AhRat.”
iRecorder was very first flagged as harboring the AhMyth trojan on October 28, 2022, by Kaspersky security analyst Igor Golovin, indicating that the app managed to continue to be accessible all this time and even gained a new update as not long ago as February 26, 2023.
The application’s malicious conduct specifically requires extracting microphone recordings and harvesting documents with specific extensions, with ESET describing AhRat as a lightweight model of AhMyth.
The details accumulating attribute points to a achievable espionage motive, while there is no evidence to backlink the action to any acknowledged danger actor. Nevertheless, AhMyth has been beforehand utilized by Transparent Tribe in attacks focusing on South Asia.
iRecorder is the do the job of a developer named Coffeeholic Dev, who has also released various other apps about the many years. None of them are obtainable as of producing –
- iBlock (com.tsoft.app.iblock.ad)
- iCleaner (com.isolar.icleaner)
- iEmail (com.tsoft.app.email)
- iLock (com.tsoft.application.ilock)
- iVideoDownload (com.tsoft.application.ivideodownload)
- iVPN (com.ivpn.speed)
- File speaker (com.teasoft.filespeaker)
- QR Saver (com.teasoft.qrsaver)
- Tin nóng tin lạnh (browse: Hot information and cold information in Vietnamese) (com.teasoft.news)
This enhancement is just the most up-to-date example of malware adopting a strategy referred to as versioning, which refers to uploading a clear model of the app to the Engage in Retailer to create trust amid consumers and then incorporating malicious code at a later on stage by way of app updates, in a bid to slip by means of the app evaluation method.
“The AhRat research case serves as a superior case in point of how an in the beginning authentic software can renovate into a destructive one particular, even soon after quite a few months, spying on its buyers and compromising their privacy,” Štefanko claimed.
Identified this write-up fascinating? Abide by us on Twitter and LinkedIn to read through much more unique written content we write-up.
Some components of this post are sourced from:
thehackernews.com