A cybersecurity company says that after getting tens of thousands of downloads from Google’s app store, a popular Android screen recording app started spying on its users by stealing microphone recordings and other files from their phones.
ESET found that the malicious code was added to the Android app “iRecorder — Screen Recorder” as an update almost a year after it was first put on Google Play. ESET says that the code let the app upload a minute of ambient sound from the device’s microphone every 15 minutes and steal documents, web pages, and media files from the user’s phone.
Google Play no longer has the app on its list. If you already have the app on your device, you should delete it. Before the bad app was taken off the app store, it had been downloaded more than 50,000 times. The bad code is called AhRat by ESET. It is a modified version of a remote access trojan called AhMyth that is available as open source. Remote access trojans, or RATs, take advantage of the fact that they have a lot of access to a victim’s device. They can often be controlled remotely, but they also work like spyware and stalkerware.
A security researcher at ESET named Lukas Stefanko found the malware. In a blog post, he said that when the iRecorder app first came out in September 2021, it didn’t have any harmful features. Once the malicious AhRat code was pushed to existing users as an app update (and to new users who would download the app directly from Google Play), the app started sneakily accessing the user’s microphone and sending the user’s phone data to a server controlled by the malware’s operator. Stefanko said that the audio recording “fit within the already defined app permissions model,” since the app was made to record the device’s screen and would ask to use the microphone.
It’s not clear who put the bad code there or why. It could have been the developer or someone else. Stefanko said that the malicious code is probably part of a larger espionage campaign. Espionage is when hackers work to gather information on targets of their choice, sometimes for the government or to make money. He said, “It’s rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code.”
Bad apps don’t always make it into app stores, and this isn’t the first time AhMyth has gotten into Google Play. Both Google and Apple check apps for malware before putting them on their stores, and they sometimes take down apps that could put users in danger. Google said last year that it stopped more than 1.4 million apps that were bad for privacy from getting to Google Play.