ESET, a cybersecurity firm, has warned that the once-popular Android screen recording app, iRecorder — Screen Recorder, has been secretly stealing users' microphone recordings and other data from their phones. This covert spying activity began after the application received a malicious code update, several months after its initial listing on Google Play.
During its investigation, ESET discovered that this iRecorder — Screen Recorder app added the malicious code to its system almost one year after it was first listed on Google Play. The code enabled the app to quietly upload a minute's worth of ambient audio from a device's microphone every 15 minutes and also steal documents, web pages, and media files from users' devices.
The app, which had accumulated more than 50,000 downloads before its removal from Google Play, is no longer listed on the app store. Users who have installed the app are has been advised to delete it from their device immediately.
The malicious code, dubbed AhRat by ESET, is a modified version of an open-source remote access trojan (RAT) called AhMyth. RATs typically exploit broad access to victims' devices, and often function in a manner similar to spyware and stalkerware. These features include remote control capabilities.
ESET security researcher Lukas Stefanko, who discovered the malware, said in a blog post that the iRecorder app contained no malicious features when it first launched in September 2021. The malicious AhRat code was pushed as an app update to existing users, as well as new users who downloaded the app directly from Google Play. Subsequently, the app began secretly accessing the user's microphone and uploading their phone data to a server controlled by the malware's operator. Stefanko explained that the audio recording was within the defined app permissions model since the app, by design, could capture device screen recordings and request device microphone access.
The identity of the perpetrator who planted the malicious code and their motive for doing so remains unknown. TechCrunch reached out to the developer's email address, which was listed on the app's listing before it was removed, but has not received a response thus far.
Stefanko suggested that the malicious code is likely part of a wider espionage campaign. Such activities are aimed at collecting information on targeted individuals or entities, usually for political or financial gain. Stefanko noted that it is unusual for a developer to upload a legitimate app, wait nearly a year, and then update it with malicious code.
While Google and Apple screen apps for malware before listing them for download, it is not uncommon for harmful apps to slip through this process. In some cases, they proactively remove apps that could put users at risk. Google reported last year that it had prevented over 1.4 million privacy-violating apps from reaching Google Play. While iRecorder — Screen Recorder's users experienced a security breach, users of other platforms can build safe applications with no risk using tools like AppMaster.io's no-code platform. AppMaster.io enables users to create backend, web and mobile applications with its intuitive visual interface, ensuring a safe and efficient application development process.