A cybersecurity firm has revealed that a widely-used Android screen recording app, “iRecorder — Screen Recorder,” had been spying on its users and stealing sensitive information, such as microphone recordings and documents, from their phones. ESET’s research discovered that the malicious code was introduced to the app as an update nearly a year after its initial listing on Google Play.
The malicious code, named AhRat by ESET, was a customized version of the open-source remote access trojan (RAT) called AhMyth. It enabled the app to secretly upload one minute of ambient audio from the device’s microphone every 15 minutes, as well as extract documents, web pages, and media files from the user’s phone.
Following the discovery, the app has been removed from Google Play. If you have installed the app, it is crucial to delete it from your device. By the time the app was pulled from the store, it had already accumulated over 50,000 downloads.
Lukas Stefanko, a security researcher at ESET, explained in a blog post that the iRecorder app had no malicious features when it was initially launched in September 2021. However, the AhRat code was later pushed as an update to existing users and new users who downloaded the app directly from Google Play. This update allowed the app to covertly access the user’s microphone and transmit their phone data to a server controlled by the malware operator. Stefanko noted that the audio recording seemed legitimate due to the app’s necessary permissions to capture screen recordings and access the device’s microphone.
The origin of the malicious code and the motives behind it remain unclear. Prozteck attempted to reach out to the developer’s email address listed before the app was removed but has not received a response.
Stefanko suggested that the malicious code is likely part of a larger espionage campaign, where hackers target specific individuals to gather information, sometimes on behalf of governments or for financial gain. He also highlighted the unusual nature of a developer uploading a legitimate app and then updating it with malicious code almost a year later.
While the presence of harmful apps in app stores is not uncommon, nor is it the first instance of AhMyth infiltrating Google Play, both Google and Apple employ screening processes to detect malware and proactively remove risky apps. Google reported blocking over 1.4 million privacy-violating apps from reaching Google Play last year.
