Security

Cyber-crime

This legit Android app turned into mic-snooping malware – and Google missed it

File-stealing nasty in my Play store? Preposterous!!1


Google Play has been caught with its cybersecurity pants down yet again after a once-legit Android screen-and-audio recorder app was updated to include malicious code that listened in on device microphones.

Potentially tens of thousands of people downloaded the software before ESET researchers found the hidden malware and alerted Google, which pulled the app from its online store.

The application in question, iRecorder – Screen Recorder, was first published in 2021. It spent nearly a year in Google Play without a hint of nefarious behavior before an August 2022 update, we're told, added a secret remote-control backdoor.

The backdoor code was based on AhMyth, a piece of GitHub-hosted "not for malicious use" spyware that's been found in Play Store apps before.

The implementation of AhMyth in the updated Android app has been dubbed AhRat by ESET. We're told the software nasty recorded snippets of audio from an infected device's microphone. AhRat can also be instructed to exfiltrate files "with extensions representing web pages, images, audio, video, and document files, and file formats used for compressing multiple files," said ESET's Lukas Stefanko, who authored a 2019 report of two previous instances of AhMyth found in the Play store.

AhRat lacks many of the features of its parent malware, which Stefanko said indicates that it may be a lightweight variant designed to better hide itself inside a legitimate application. "These functionalities appeared to fit within the already defined app permissions model, which grants access to files on the device and permits recording of audio," Stefanko explained. 

"Upon installation of the malicious app, it behaved as a standard app without any special extra permission requests that might have revealed its malicious intentions," Stefanko added. 

ESET said it hasn't spotted AhMyth anywhere else in the wild, and that the app and all other items made by its mysterious developer were removed from the Google Play Store once reported. It's not clear precisely how long the malicious version of the recording app was available on Google Play nor how many people exactly were hit by it; ESET only said that the software had surpassed 50,000 downloads in Google's souk. 

Stefanko noted in the report that the recording app remains available on some alternative and unofficial Android app markets, and that the developer has published several other Android tools, none of which contain malicious code.

"It is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses,' Stefanko noted. 

More like Google Play Infect

We've been down this malware-laden road with Google Play many times before, but this one is particularly egregious given the fact the malware that slipped through the cracks has (or its parent code has, at least) been found on Google Play already. By extension, one would think AhMyth indicators would be included in Google's scanning systems.

The on-device picture isn't much better for Google security.

In 2017, Google's Play Protect on-device anti malware platform scored dead last in tests of its ability to detect malware compared to third-party Android malware detection platforms. It's been a while since then, and Play Protect has climbed a few spots in more recent versions of the report that placed it there. It's still nowhere near the head of the pack, though, so ensure your Android device has multiple layers of protection. Or perhaps just avoid apps from unknown developers.

We reached out to Google to ask how it managed to miss the malicious update for nearly a year, and haven't heard back yet. ®

Send us news
19 Comments

What a coincidence. Spyware makers, Russia's Cozy Bear seem to share same exploits

Google researchers note similarities, can't find smoking-gun link

Microsoft mistake blows up admins' inboxes with fake malware alerts

Legitimate emails misclassified in software snafu

RansomHub-linked EDR-killing malware spotted in the wild

Also: Your external-facing NetSuite sites need a review; five popular malware varieties for Q2, and more

Proof-of-concept code released for zero-click critical IPv6 Windows hole

If you haven't deployed August's patches, get busy before others do

FTC urges judge to spank Google over Android App market monopoly

Pay no attention to web giant's whining about the cost of compliance, watchdog argues

Google brings more Gemini AI features to Android, saves the best for Pixel 9

And four more phones. Woo. Yay.

Breaking the economy of trust: How busts affect malware gangs

It's hard to track down individuals, so why not disrupt the underground market itself?

SharpRhino malware targets IT admins – Hunters International gang suspected

Fake Angry IP Scanner will make you furious - or maybe remind you of how the Hive gang went about its banal business

Sneaky SnakeKeylogger slithers into Windows inboxes to steal sensitive secrets

Malware logs users' keystrokes, pilfers credentials, exfiltrates data

Bad apps bypass Windows security alerts for six years using newly unveiled trick

Windows SmartScreen and Smart App Control both have weaknesses of which to be wary

Malware crew Stargazers Goblin used 3,000 GitHub accounts to make bank

May even have targeted other malware gangs, and infosec researchers

Beware of fake CrowdStrike domains pumping out Lumma infostealing malware

PSA: Only accept updates via official channels ... ironically enough