A cybersecurity company says a popular Android screen recording app that accumulated tens of thousands of downloads on Google’s app store then began spying on its users, including stealing microphone recordings and other documents from the user’s phone.
ESET’s investigation revealed that the Android app, “iRecorder — Screen Recorder”, introduced the malicious code as an app update almost a year after it was first listed on Google Play. According to ESET, the code allowed the app to stealthily upload a minute of ambient sound every 15 minutes from the device’s microphone, and exfiltrate documents, web pages and media files from the user’s phone.
The application is no longer mentioned on Google Play. If you have installed the app, you should uninstall it from your device. By the time the malicious app was pulled from the app store, it had already been downloaded more than 50,000 times.
ESET calls the malicious code AhRat, a modified version of an open-source remote access trojan called AhMyth. Remote access Trojans (or RATs) take advantage of broad access to a victim’s device and can often involve remote control, but also operate similarly to spyware and stalkerware.
Lukas Stefanko, a security researcher at ESET who discovered the malware, said in a blog post that the iRecorder app did not contain any malicious features when it was first launched in September 2021.
After the malicious AhRat code was pushed to existing users (and new users who would download the app directly from Google Play) as an app update, the app began stealthily accessing the user’s microphone and extorting the user’s phone information. upload to a server controlled by the malware. operator. Stefanko said the audio recording “fits within the already defined app permissions model” as the app is designed by nature to capture the device’s screen recordings and would request access to the device’s microphone.
It’s not clear who planted the malicious code – by the developer or someone else – or for what reason. TechCrunch has emailed the developer’s email address that was on the app’s list before it was taken down, but hasn’t heard back yet.
Stefanko said the malicious code is likely part of a wider espionage campaign – where hackers collect information on targets of their choosing – sometimes on behalf of governments or for financially motivated reasons. He said it’s “rare for a developer to upload a legitimate app, wait nearly a year, and then update it with malicious code.”
It’s not uncommon for bad apps to sneak into app stores, and it’s not the first time AhMyth has done so either crawled away to Google Play. Both Google and Apple screen apps for malware before offering them for download, and sometimes act proactively to pull apps when they could put users at risk. Last year, Google said it prevented more than 1.4 million privacy-violating apps from reaching Google Play.