Image : Google Play Store
A cybersecurity company claims that after amassing tens of thousands of downloads on Google’s app store, a popular Android screen recording app started spying on its users, including by capturing microphone recordings and other data from the user’s phone.
ESET’s investigation revealed that the malicious code was added as part of an app update for the Android app “iRecorder — Screen Recorder,” which was released over a year after it was first made available on Google Play. According to ESET, the code allowed the app to exfiltrate documents, web pages, and media files from the user’s phone as well as covertly upload one minute of background audio from the device’s microphone every 15 minutes.
Google Play no longer features the app. If you have the app installed, you need to remove it from your smartphone. The rogue program had more than 50,000 downloads by the time it was removed from the app store.
A modified version of the open source remote access trojan known as AhMyth, the malicious malware is known by ESET as AhRat. Remote access trojans, often known as RATs, act similarly to spyware and stalkerware by taking advantage of a victim’s device’s open access and frequently including remote control.
The malware was found by Lukas Stefanko, an ESET security researcher, who said in a blog post that the iRecorder software did not have any dangerous components when it was first released in September 2021.
Once existing users (and new users who would download the app directly from Google Play) were exposed to the malicious AhRat code, the app started covertly monitoring the user’s microphone and transferring the user’s phone data to a server run by the malware’s creator. Stefanko said that the audio recording “fit within the already defined app permissions model,” given that the app was created specifically to record screen recordings from the device and would request access to the microphone.
It’s unclear who, if anyone other than the creator, planted the harmful code or why. Before the app was removed, the developer’s email address was listed on the listing. TechCrunch sent an email to that address, but has not heard back.
According to Stefanko, the malicious code is probably a component of a larger espionage campaign, in which hackers attempt to gather data on targets of their choosing, occasionally for governmental or commercial purposes. According to him, it is “rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code.”
It’s not unusual for subpar applications to find their way into app stores, and AhMyth entering Google Play is nothing new either. Both Google and Apple check apps for malware before allowing users to download them, and they occasionally take proactive action to remove programs when they potentially endanger consumers. Google claimed to have stopped more than 1.4 million privacy-invading apps from appearing on Google Play last year.