Popular Android app “iRecorder — Screen Recorder” was caught stealing users’ information months after being approved on the Play Store.
Cybersecurity firm ESET discovered that malicious code was introduced into iRecorder nearly a year after it was initially approved for listing in Google’s Play Store. During that time, the app was downloaded nearly 50,000 times.
According to TechCrunch, ESET says the app was uploading “a minute of ambient audio from the device’s microphone every 15 minutes, as well as exfiltrate documents, web pages and media files from the user’s phone.”
The malicious code was able to sneak past Google because audio recording is inherently part of a screen recording app. As a result, the update containing the malicious code didn’t immediately raise any red flags. Such an attack is incredibly rare, according to ESET’s Lukas Stefanko:
It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code. The malicious code that was added to the clean version of iRecorder is based on the open-source AhMyth Android RAT (remote access trojan) and has been customized into what we named AhRat.
TechCrunch says it’s still not clear who is responsible for the malware update. It’s possible the developer is responsible and was playing the long game to get the app approved and installed on as many devices as possible before turning it into malware. It’s also possible a malicious actor may have compromised the developer’s code base and uploaded the malicious version.
The incident underscores the growing challenges with monitoring the millions of apps that are available for mobile platforms and ensuring they are safe for users.
In the meantime, iRecorder has been removed from the Play Store, but all users who still have it installed should delete it immediately.