Important Alert: Delete This Popular Android App Spying On You!

According to a report by a cybersecurity firm, a popular Android screen recording app found on Google’s app store has been discovered to engage in spying activities, including the theft of microphone recordings and other documents from users’ phones. 

ESET’s research revealed that the Android app, known as “iRecorder — Screen Recorder,” introduced the malicious code through an app update almost a year after it was initially listed on Google Play. 

How Did The App Spy?

This code, identified by ESET as “AhRat,” allowed the app to secretly upload one minute of ambient audio from the device’s microphone every 15 minutes, as well as extract documents, web pages, and media files from the user’s phone.

The app has been removed from Google Play, and if you have installed it, it is recommended to delete it from your device. However, before its removal, the malicious app had garnered over 50,000 downloads.

AhRat, the malicious code identified by ESET, is a customized version of an open-source remote access trojan called AhMyth. 

                                                                         Image Credit – Google Play Store

Remote access trojans (RATs) exploit the extensive access they have to a victim’s device and often possess remote control capabilities, functioning similarly to spyware and stalkerware.

How Was This Trojan Discovered?

Lukas Stefanko, a security researcher at ESET who discovered the malware, explained in a blog post that the iRecorder app did not contain any malicious features upon its initial release in September 2021. 

However, after the malicious AhRat code was pushed as an app update to both existing and new users who downloaded the app from Google Play, it began surreptitiously accessing the user’s microphone and transmitting the phone’s data to a server controlled by the malware operator. 

Stefanko clarified that the audio recording was within the scope of the app’s pre-defined permissions model, given its intended purpose of capturing screen recordings, which naturally required access to the device’s microphone.

The origin and motive behind the inclusion of the malicious code remain unclear, whether it was the developer’s doing or someone else’s. UsaTechblog reached out to the developer’s email address listed before the app was taken down but has not received a response yet.

Stefanko suggests that the malicious code is likely part of a broader espionage campaign, where hackers gather information about specific targets, sometimes acting on behalf of governments or driven by financial motivations. 

He also noted that it is unusual for a developer to upload a legitimate app, wait nearly a year, and then update it with malicious code.

The presence of harmful apps in app stores is not uncommon, and this is not the first instance of AhMyth infiltrating Google Play. Both Google and Apple employ screening processes to detect malware before apps are made available for download and occasionally take proactive measures to remove apps that may pose risks to users. 

Google reported that it prevented over 1.4 million privacy-violating apps from appearing on Google Play last year.