{"id":2519,"date":"2023-06-27T04:42:06","date_gmt":"2023-06-27T11:42:06","guid":{"rendered":"https:\/\/www.ssls.com\/blog\/?p=2519"},"modified":"2023-12-06T07:56:23","modified_gmt":"2023-12-06T15:56:23","slug":"a-popular-screen-recording-android-app-started-secretly-recording-its-users","status":"publish","type":"post","link":"https:\/\/www.ssls.com\/blog\/a-popular-screen-recording-android-app-started-secretly-recording-its-users\/","title":{"rendered":"A popular screen-recording Android app started secretly recording its&nbsp;users"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/www.ssls.com\/blog\/wp-content\/uploads\/SSL_Blog_secretly-recording.png\" alt=\"\" class=\"wp-image-2327\"\/><\/figure>\n\n\n\n<p>The longtime best practice for anyone using apps on their devices is to only download them from official stores like Google Play or the iOS App Store. Official stores have means to generally prevent malicious apps from being listed. Though, that doesn\u2019t mean bad apps never slip through the cracks. It also doesn\u2019t mean that a once legitimate app can\u2019t subsequently have malicious code added to it down the line.&nbsp;<br><\/p>\n\n\n\n<!--more-->\n\n\n\n<p>This is what happened with an Android app called \u201ciRecorder \u2014 Screen Recorder,\u201d according to research <a href=\"https:\/\/www.welivesecurity.com\/2023\/05\/23\/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration\/\">from ESET<\/a>. The seemingly innocuous recording app first appeared in the Google Play Store on September 19th, 2021, and had over 50,000 installs before it was pulled from the app store. Malicious functionality was likely added just under a year after it was first listed, in August 2022.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Spying on users<\/h2>\n\n\n\n<p>At first, the app only did what it advertised: provide a means for users to record their screens. However, with the malicious update, every 15 minutes, the app began recording surrounding audio from the device\u2019s microphone and uploading it to the malicious actor\u2019s server. In addition to the audio recordings, the app was also able to exfiltrate certain documents, saved web pages, images, and videos from victims\u2019 phones.&nbsp;<br><\/p>\n\n\n\n<p>Because these files had specific extensions, the ESET researchers believe that the app may have been a part of an espionage campaign, but they haven\u2019t identified a particular malicious group that owned the app. It also isn\u2019t clear whether the developer made the malicious update or if another group hijacked the app. Upon discovering the app and its dubious activities in March 2023, ESET notified Google, and it was promptly removed from the Play Store.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">More about the malicious code<\/h2>\n\n\n\n<p>The legitimate app was made malicious by a code based on the open-source AhMyth Android RAT (remote access trojan). ESET researchers call it AhRat. Malicious actors can use RATs to access a victim\u2019s device and remotely control or surveil it. Potential negative functions can include recording and stealing files from the victim, such as in this case, as well as tracking the device\u2019s location, taking pictures, and sending SMS messages. AhRat did not take any of the latter actions, suggesting it only functioned within the predefined permissions of the app to avoid suspicion.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Preventative measures<\/h2>\n\n\n\n<p>It\u2019s certainly problematic to users that a once legitimate app from an official app store can turn malicious down the line. How can you <a href=\"https:\/\/www.ssls.com\/\">secure<\/a> yourself against something that shouldn\u2019t be permitted to happen? Fortunately, Android 11 and higher has implemented App hibernation, which puts apps that have been dormant for several months into a hibernation state, resetting their permissions and protecting users from potential malicious changes. <a href=\"https:\/\/www.theverge.com\/23693781\/google-android-14-features-update-io\">Google<\/a> is also working on sending monthly updates to users regarding apps that have changed their data-sharing practices. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>The longtime best practice for anyone using apps on their devices is to only download them from official stores like Google Play or the iOS App Store. Official stores have means to generally prevent malicious apps from being listed. Though, that doesn\u2019t mean bad apps never slip through the cracks. It also doesn\u2019t mean that [&hellip;]<\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2519","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/2519","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/comments?post=2519"}],"version-history":[{"count":2,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/2519\/revisions"}],"predecessor-version":[{"id":2845,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/posts\/2519\/revisions\/2845"}],"wp:attachment":[{"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/media?parent=2519"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/categories?post=2519"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ssls.com\/blog\/wp-json\/wp\/v2\/tags?post=2519"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}