This Android screen recording app was found spying on thousands of users

News
By published

The iRecorder app went rogue a year after it was released on the Play Store.

Android malware code
(Image credit: Jay Bonggolto / Android Central)

What you need to know

  • A legitimate screen recording app on the Play Store turned out to be spyware after receiving a malicious update.
  • The iRecorder screen recording app was found recording audio and sending data to remote servers every 15 minutes.
  • A security researcher brought the app's malicious activity to Google's attention, resulting in the app's removal from the Play Store.

A screen recording app that appeared innocent during its first year on the Play Store has evolved into spyware, secretly recording users every 15 minutes and sending audio data to the developer's server.

This malicious activity was documented by ESET researcher Lukas Stefanko, who wrote in a blog post (via Ars Technica) that more than 50,000 people had downloaded the app known as iRecorder – Screen Recorder. The app, which was designed to record a device's screen, was enlisted on the Play Store on September 19, 2021, and it worked normally like any other app.

However, after receiving an update in August 2022 (version 1.3.8), the app gained malicious features that made it a threat to users. It appeared that the update sneaked in some custom malicious code based on the open-source AhMyth Android RAT (remote access trojan), which was later named AhRat.

ESET immediately informed Google of its findings, and the iRecorder app has since been removed from Google Play. The trojanized app, on the other hand, continues to pose a serious threat to those who have it installed on their phones, as it grants access to files and allows audio recording without their knowledge.

According to ESET, the app extracts microphone recordings and steals files with specific extensions for saved web pages, images, audio, video, and documents. These files were then transmitted to a command and control server.

The security firm noted that this malicious activity has potential traces of an espionage campaign, though it added that it wasn't "able to attribute the app to any particular malicious group."

Fortunately, Google has already put in place a number of measures to combat these malicious actions since Android 11. This security feature hibernates apps that have been inactive for several months, resetting their runtime permissions. In addition, Google's Android security updates now alert you to an app's irregular data-sharing practices, if any, through a monthly notification. Some of our favorite security apps are also equipped with features to stop malware attacks.

Jay Bonggolto
Jay Bonggolto
News Writer & Reviewer

Jay Bonggolto always keeps a nose for news. He has been writing about consumer tech and apps for as long as he can remember, and he has used a variety of Android phones since falling in love with Jelly Bean. Send him a direct message via Twitter or LinkedIn.

Read more
Google Play Store homepage
Google confirms mass app deletion on Play Store after ad fraud
Top Charts in the Play Store on the Galaxy S25 Ultra
Google Play Store will get more tools to protect users from scammy apps
Android statues
Ask Jerry: What can I do about dishonest app developers?
Google Play Store on OnePlus 9
The Google Play Store is reportedly crashing for Android users across devices
Pixel 4a
Google Pixel 4a's surprise update was actually to prevent battery overheating
Pixel 9 Home screen
Play Store update 'bugs' several Android users with recurring notifications
Latest in Apps & Software
YouTube Premium homepage on Android
YouTube's notification test impacts channels you rarely interact with
Google Pixel 8a
Google tipped to bring text-based actions in AI Overviews for Circle to Search
A Qualcomm Snapdragon 8 Elite placard at a press event
Qualcomm's 'Elite' branding should stay exclusive to Oryon-based chips
The promotional image for Google Workspace feature drops.
The March Workspace feature drop upgrades Gemini's note-taking and translation tools
Google discusses trends and AI updates to help people travel this summer.
Google prepares you for a hot summer with new AI updates for traveling
YouTube Music home screen
YouTube Music's personalized radio stations are getting even smarter
Latest in News
The Light Phone III in lifestyle photos.
The Light Phone 3 is here with miniature features, massive $799 price tag
YouTube Premium homepage on Android
YouTube's notification test impacts channels you rarely interact with
Google Pixel 8a
Google tipped to bring text-based actions in AI Overviews for Circle to Search
Pixel Watch 3 run coaching suggestion in the Fitbit app on a Pixel 9
Fitbit's Health Metrics are getting a redesign on Android and iOS
The Galaxy S24 Plus in hand with a light behind it
Samsung's sixth One UI 7 beta for the Galaxy S24 rolls out as launch nears
The promotional image for Google Workspace feature drops.
The March Workspace feature drop upgrades Gemini's note-taking and translation tools
More about apps software
YouTube Premium homepage on Android

YouTube's notification test impacts channels you rarely interact with
Google Pixel 8a

Google tipped to bring text-based actions in AI Overviews for Circle to Search
The Light Phone III in lifestyle photos.

The Light Phone 3 is here with miniature features, massive $799 price tag
See more latest