A cybersecurity firm, ESET, has discovered that a widely-used Android screen recording app, “iRecorder — Screen Recorder,” began spying on its users after a malicious code update. The app, which had gained tens of thousands of downloads on Google’s app store, stealthily uploaded one minute of ambient audio from the device’s microphone every 15 minutes. Additionally, it exfiltrated documents, web pages, and media files from the user’s phone.
The app has since been removed from Google Play, and users are advised to delete it from their devices. By the time the malicious app was taken down, it had already accumulated over 50,000 downloads.
ESET has named the malicious code AhRat, a customized version of the open-source remote access trojan AhMyth. Remote access trojans exploit broad access to a victim’s device, often enabling remote control and functioning similarly to spyware and stalkerware.
Lukas Stefanko, a security researcher at ESET, discovered the malware and noted that the iRecorder app initially did not contain any malicious features when it was launched in September 2021. However, the AhRat code was introduced later as an app update, which granted it unauthorized access to the user’s microphone and allowed it to upload phone data to a server controlled by the malware operator.
The motive behind planting the malicious code remains unclear, as well as the identity of the perpetrator. Stefanko believes it is part of a broader espionage campaign, where hackers gather information on specific targets for various reasons, including government-backed operations or financial motivations.
While occasional instances of malicious apps slipping through app store screenings occur, it is unusual for a developer to upload a legitimate app, wait a considerable amount of time, and then introduce malicious code. Both Google and Apple actively screen apps for malware, but occasionally, apps with harmful intent make their way onto the platforms. Google reported blocking over 1.4 million privacy-violating apps from reaching Google Play last year.
