Popular Android App Accused of Covertly Spying on Users Months After Google Play Listing

A cybersecurity firm has uncovered alarming evidence that a once-popular Android screen recording app, “iRecorder — Screen Recorder,” had been secretly spying on its users. This app had amassed tens of thousands of downloads on Google Play before it was discovered to contain malicious code. The firm, ESET, found that the app introduced this code as an update almost a year after its initial listing, enabling it to surreptitiously gather audio recordings, documents, web pages, and media files from users’ devices. In this article, we delve into the details of this concerning incident and shed light on the actions users should take to protect themselves.

ESET researchers named the malicious code “AhRat,” a customized version of the open-source remote access trojan AhMyth. Remote access trojans are notorious for exploiting the broad access they have to victims’ devices, enabling activities that resemble spyware and stalkerware. Initially, when the iRecorder app was launched in September 2021, it did not contain any malicious features.

However, the situation changed when the app’s developer pushed the AhRat code as an update to existing users and new users who downloaded the app from Google Play. Following the update, the app covertly accessed users’ microphones, allowing it to upload a minute of ambient audio every 15 minutes to a server controlled by the malware’s operator. The app also extracted various types of data, including documents, web pages, and media files. Surprisingly, the audio recording functionality appeared legitimate since the app already required access to the microphone for capturing screen recordings.

Once the malicious activities of the iRecorder app were discovered, Google promptly removed it from Google Play. However, by that time, the app had amassed over 50,000 downloads, highlighting the potential scale of the security breach. It is crucial for users who have installed this app to delete it immediately from their devices to mitigate the risk of further privacy violations.

The origins of the malicious code remain unknown. It is unclear whether the developer was responsible or if someone else injected the code into the app. The security researcher who uncovered the malware, Lukas Stefanko from ESET, believes that this malicious code is likely part of a broader espionage campaign. Espionage campaigns typically involve hackers collecting information on specific targets for various purposes, including government-sponsored operations or financially motivated activities. Stefanko noted that it is uncommon for developers to introduce malicious code after such a significant time delay, making this incident particularly concerning.

Instances of malicious apps infiltrating app stores are not unheard of, and AhMyth has previously found its way into Google Play. Both Google and Apple employ measures to screen apps for malware before listing them for download, often taking proactive steps to remove apps that pose risks to users. In fact, Google reported blocking over 1.4 million privacy-violating apps from reaching Google Play last year. Despite these efforts, the discovery of iRecorder’s spying capabilities serves as a reminder that vigilance is necessary when downloading apps, even from reputable sources.

The revelation of the iRecorder app’s secret spying activities has raised significant concerns about user privacy and app store security. With tens of thousands of downloads, this incident highlights the potential reach and impact of such malicious apps. Users should remain cautious and exercise due diligence when downloading apps, promptly removing any suspicious or untrustworthy applications from their devices. Staying informed about the evolving threats and adopting security best practices can help ensure a safer mobile experience for everyone.