This Android screen recording app was found spying on thousands of users

Android malware code
(Image credit: Jay Bonggolto / Android Central)

What you need to know

  • A legitimate screen recording app on the Play Store turned out to be spyware after receiving a malicious update.
  • The iRecorder screen recording app was found recording audio and sending data to remote servers every 15 minutes.
  • A security researcher brought the app's malicious activity to Google's attention, resulting in the app's removal from the Play Store.

A screen recording app that appeared innocent during its first year on the Play Store has evolved into spyware, secretly recording users every 15 minutes and sending audio data to the developer's server.

This malicious activity was documented by ESET researcher Lukas Stefanko, who wrote in a blog post (via Ars Technica) that more than 50,000 people had downloaded the app known as iRecorder – Screen Recorder. The app, which was designed to record a device's screen, was enlisted on the Play Store on September 19, 2021, and it worked normally like any other app.

However, after receiving an update in August 2022 (version 1.3.8), the app gained malicious features that made it a threat to users. It appeared that the update sneaked in some custom malicious code based on the open-source AhMyth Android RAT (remote access trojan), which was later named AhRat.

ESET immediately informed Google of its findings, and the iRecorder app has since been removed from Google Play. The trojanized app, on the other hand, continues to pose a serious threat to those who have it installed on their phones, as it grants access to files and allows audio recording without their knowledge.

According to ESET, the app extracts microphone recordings and steals files with specific extensions for saved web pages, images, audio, video, and documents. These files were then transmitted to a command and control server.

The security firm noted that this malicious activity has potential traces of an espionage campaign, though it added that it wasn't "able to attribute the app to any particular malicious group."

Fortunately, Google has already put in place a number of measures to combat these malicious actions since Android 11. This security feature hibernates apps that have been inactive for several months, resetting their runtime permissions. In addition, Google's Android security updates now alert you to an app's irregular data-sharing practices, if any, through a monthly notification. Some of our favorite security apps are also equipped with features to stop malware attacks.

Jay Bonggolto
News Writer & Reviewer

Jay Bonggolto always keeps a nose for news. He has been writing about consumer tech and apps for as long as he can remember, and he has used a variety of Android phones since falling in love with Jelly Bean. Send him a direct message via Twitter or LinkedIn.