An Android recording app called iRecorder Screen Recorder started out as an innocent screen recording app, but it turned evil almost a year after its release. as detailed by Ars Technica. The app first came out in September 2021, but after an update the following August, it began recording a minute of audio every 15 minutes and forwarding those recordings, via an encrypted link, to the developer’s server. Everything is documented in a blog post by Essential Security Against Evolving Threats (ESET) researcher Lukas Stefanko.
In the post, Stefanko said the app was updated in August 2022 to include malicious code “based on the open source AhMyth Android RAT (Remote Access Trojan).” The app had 50,000 downloads when it was reported and removed from the Play Store. Stefanko added that apps with AhMyth embedded in them had passed Google filters before.
Rogue apps are not new to the Apple or Google app stores. Recording apps can be especially bad, as they sometimes have predatory subscription prices and fake reviews to inflate your visibility on those platforms. And Stefanko’s blog post highlights a particularly tricky problem: Apps turn to the dark side after you’ve had them for a while, using the permissions you gave them in the first place to collect sensitive information from your device and send it to the developer for nefarious activities.
This particular app is gone, but what’s stopping another sleeper agent from activating on your phone? Google is at least working on updates that will tell you via monthly notifications which apps have changed their data-sharing practices and when, if you find out, that is.
