After an update, an android app that had been installed in over 50,000 devices began to secretly record its users a year after being listed on Google Play. iRecorder Screen Recorder began as a screen recorder app, but a year after its release, it began recording a minute of audio every 15 minutes and sent it to the developer, according to a report by Essential Security against Evolving Threats (ESET) researcher, Lukas Stefanko.
The app was listed on Google Play in September 2021, and eleven months after that, the app was an espionage tool. These functions were implemented with the help of AhMyth, an open-source remote access Trojan (RAT).
“AhRat’s malicious behavior, which includes recording audio using the device’s microphone and stealing files with specific extensions, might indicate that it was part of an espionage campaign. However, we have yet to find any concrete evidence that would enable us to attribute this activity to a particular campaign or APT group,” Stefanko wrote in the report.
According to an article by Ars Technica, the app was removed from the Google Play Store, in addition, to all activity related to its publisher, the “Coffeeholic Dev”.One of the problems with the apps in Google Play Store is that Google does not send alerts when an app has changed their data-sharing-practices. Also, the company doesn’t notify users when it learns an app has been infected.
Does this mean that more apps could be infected with spyware? Well, hopefully Google’s filters and ESET researchers are enough to identify dangerous apps.