2 min

ESET reports that an Android app was secretly spying on its users. iRecorder – Screen Recorder introduced malicious code through an app update almost a year after its initial listing on Google Play. ESET’s research exposed that this code enabled the app to covertly upload one minute of ambient audio from the device’s microphone. It could do this every 15 minutes and extract documents, web pages, and media files from the user’s phone.

Following the revelation, the app has been removed from Google Play. If you have the app installed, deleting it from your device is strongly advised. Dubbed AhRat by ESET, the malicious code represents a customized version of an open-source remote access trojan called AhMyth. Remote access trojans, commonly called RATs, take advantage of their extensive access to a victim’s device. They often encompass remote control functions while functioning similarly to spyware and stalkerware.

The app had over 50,000 downloads before removal

Lukas Stefanko, a security researcher at ESET who uncovered the malware, shared in a blog post that the iRecorder app displayed no malicious features when it first launched in September 2021.

However, once the malevolent AhRat code was introduced as an update to existing users and new users who downloaded the app directly from Google Play, it secretly gained access to the user’s microphone. It transmitted the phone’s data to a server controlled by the malware operator.

Stefanko noted that the audio recordings “fit within the already defined app permissions model.” The app inherently required access to the device’s microphone due to its purpose of capturing screen recordings.

An ongoing battle against scams

It remains unclear where the malicious code came from. In fact, we don’t know if it was done by the developer or a third party. The motive behind it, too, remains dubious.

Stefanko suggested that the malicious code is likely part of a broader espionage campaign. In such an isntance, hackers selectively gather information on their chosen targets. These parties are sometimes acting on behalf of governments or driven by financial motivations.

He remarked that it is “unusual for a developer to upload a legitimate app, wait nearly a year, and then update it with malicious code.” Last year, Google disclosed that it had prevented over 1.4 million privacy-violating apps from reaching Google Play.

Also read: 9 million Android devices contain pre-installed malware