A cybersecurity group claims that a popular Android screen recording software with tens of thousands of downloads on Google’s app store began spying on its users, capturing microphone recordings and other phone data.
ESET observed that the Android app “iRecorder — Screen Recorder” released the malicious code as an app update almost a year after its Google Play listing. ESET said the code allowed the app to silently upload a minute of ambient noise from the device’s microphone every 15 minutes and exfiltrate documents, web pages, and media assets from the phone.
No longer in Google Play. Delete the program if you installed it. After 50,000 downloads, the fraudulent program was removed from the app store.
AhRat is ESET’s customized version of AhMyth, an open-source remote access trojan. Remote access trojans (RATs) can remotely manipulate a victim’s device and act like spyware and stalkerware.
In September 2021, the iRecorder app had no dangerous functionality, according to ESET security researcher Lukas Stefanko.
After the malicious AhRat code was distributed as an app update to existing users (and new users who downloaded the app directly from Google Play), the program began secretly accessing the user’s microphone and transferring phone data to the malware’s operator’s server. Since the program was built to take screen recordings and request microphone access, Stefanko stated the audio recording “fit within the already defined app permissions model.”
The developer or someone else planted the malicious code, and why. Addressed the developer’s email address from the app’s listing before it was pulled, but has not heard back.
Stefanko said the malicious code is likely part of an espionage campaign, when hackers gather information on targets for governments or profit. “Rarely does a developer upload a legitimate app, wait almost a year, and then update it with malicious code,” he said.
AhMyth is hardly the first terrible app to sneak into Google Play. Google and Apple check apps for viruses before listing them for download, and they sometimes remove unsafe programs. Google blocked 1.4 million privacy-violating apps from Google Play last year.