Popular Android Screen Recording App Found to Spy on Users, Stealing Microphone Recordings and Documents

Cybersecurity Firm Discovers Malicious Code in “iRecorder — Screen Recorder” App

A widely used Android screen recording app, “iRecorder — Screen Recorder,” has been revealed to have engaged in covert spying on its users, including the unauthorized collection of microphone recordings and documents from their devices. The discovery was made by cybersecurity firm ESET, which found that the app introduced malicious code through an update nearly a year after its initial release on Google Play.

Malicious Code Allowed Covert Surveillance and Data Exfiltration

ESET’s investigation revealed that the malicious code, known as AhRat, allowed the app to covertly transmit one minute of ambient audio recorded by the device’s microphone every 15 minutes. Furthermore, it possessed the ability to extract different forms of sensitive data, including documents, web pages, and media files, from the user’s phone without their awareness or consent.

App Removed from Google Play, Users Advised to Delete

Upon the discovery of the app’s malicious activities, “iRecorder — Screen Recorder” has been removed from Google Play. Users who have previously installed the app are strongly recommended to delete it from their devices immediately. At the time of its removal, the app had already amassed over 50,000 downloads.

AhRat: A Customized Version of AhMyth Remote Access Trojan

ESET has identified the malicious code as AhRat, a modified version of AhMyth, an open-source remote access trojan. Remote access trojans, commonly referred to as RATs, exploit the extensive access they gain to a victim’s device, often functioning as spyware or stalkerware. This type of malware allows malicious actors to remotely control the infected device.

Researcher Highlights Malware’s Stealthy Integration

Lukas Stefanko, a security researcher at ESET, discovered the malware and provided insights into its behavior. Initially, the iRecorder app had no malicious features when it was launched in September 2021. However, with the introduction of the AhRat code as an app update, the malware stealthily accessed the user’s microphone and covertly uploaded phone data to a server controlled by the malware operator. Stefanko emphasized that the audio recording functionality conveniently fit within the app’s existing permissions model since it required access to the device’s microphone for its intended purpose of capturing screen recordings.

Unknown Culprit and Potential Espionage Campaign

The identity and motive behind the inclusion of the malicious code remain unknown. TechCrunch reached out to the developer’s email address listed before the app’s removal but has yet to receive a response. Lukas Stefanko believes that the AhRat code is likely part of a broader espionage campaign, often driven by governmental or financial motivations. He also noted the unusual nature of a developer uploading a legitimate app and subsequently updating it with malicious code after a significant delay.

App Store Screening Processes and Preemptive Measures

While the presence of harmful apps in app stores is not uncommon, this incident highlights the persistent challenge of keeping malicious software at bay. Both Google and Apple employ screening processes to detect malware before allowing apps to be listed for download. These measures are occasionally accompanied by proactive actions, such as removing apps that could pose a risk to users. Over the course of the previous year, Google has successfully blocked more than 1.4 million privacy-violating apps from being listed on Google Play.

The discovery of the spying capabilities hidden within the iRecorder app serves as a reminder for users to remain vigilant when downloading applications and to promptly uninstall any suspicious or potentially harmful software from their devices.