A cybersecurity company claims that after amassing tens of thousands of downloads on Google’s app store, a popular Android screen recording software started spying on its users, including by capturing microphone recordings and other data from the user’s phone.
ESET’s investigation revealed that the malicious code was included as part of an app update for the Android app “iRecorder — Screen Recorder,” which was released over a year after it was initially made available on Google Play. According to ESET, the code enabled the app to exfiltrate documents, web pages, and media files from the user’s phone as well as covertly upload one minute of background noise from the device’s microphone every 15 minutes.
Google Play app exposed: Millions at risk of surveillance
A cybersecurity company claims that after amassing tens of thousands of downloads on Google’s app store, a popular Android screen recording software started spying on its users, including by capturing microphone recordings and other data from the user’s phone.
ESET’s investigation revealed that the malicious code was included as part of an app update for the Android app “iRecorder — Screen Recorder,” which was released over a year after it was initially made available on Google Play. According to ESET, the code enabled the app to exfiltrate documents, web pages, and media files from the user’s phone as well as covertly upload one minute of background noise from the device’s microphone every 15 minutes.
The virus was found by Lukas Stefanko, an ESET security researcher, who said in a blog post that the iRecorder software did not have any dangerous components when it was initially released in September 2021.
Once current users (and new users who would download the app straight from Google Play) were exposed to the malicious AhRat code, the app started covertly monitoring the user’s microphone and transferring the user’s phone data to a server run by the malware’s creator.
Stefanko said that the audio recording “fit within the already defined app permissions model,” given that the program was created specifically to record screen recordings from the device and would request access to the microphone.
It’s unclear who or why harmful code was inserted, whether it was done by the developer or someone else. Before the app was removed, the developer’s email address was included on the listing.
Google blocked over 1.4 million privacy-violating applications from Google Play
According to Stefanko, the malicious code is probably a component of a larger espionage effort, in which hackers attempt to gather data on targets of their choice, sometimes for governmental or commercial purposes. According to him, it is “rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code.”
It’s not unusual for subpar applications to find their way into app stores, and AhMyth entering Google Play is nothing new either. Both Google and Apple check applications for malware before allowing users to download them, and they sometimes take aggressive action to remove programs when they potentially endanger consumers. Google claimed to have stopped more than 1.4 million privacy-invading applications from appearing on Google Play last year.
Are you into cybersecurity? Then you should check our article The Role of cybersecurity in compliance.
