An Android app was secretly recording audio from its users, and it took Google a year to discover it

It took Google almost a year to expose this app, which used malicious code to use the microphone of Android phones to record audio without consent and send it to its servers. His name is iRecorder – Screen Recorderand the said vulnerability was discovered by ESET during an investigation led by Lukas Stefanko.

iRecorder – Screen Recorder it wasn’t always a Trojan horse. In fact, for almost a year after its launch in September 2021, it worked for exactly what it was talking about: record the screen of Android phones. However, in an update eleven months later, Stefanko discovers the first injection of malicious code. Since then, it has been recording one minute of audio every 15 minutes and sending it to the attackers’ servers.

It’s not the first time iRecorder – Screen Recorder becomes the target of investigators. The first report of malicious code dates back to October 2022, when security analyst Igor Golovin discovered the presence of the Trojan. Ahmit inside the application. Since then, they have managed to avoid detection by Google and the Play Store, and they even released a final update in February of this year.

Stefanko believes this is the perfect demonstration of how a perfectly legitimate application can turn into a malicious entity. Apparently, the time spent on the market does not matter. Any developer can create a good user base with an installed app to use later. Of course, after obtaining permits that will allow him to carry out his terrible plan.

Tens of thousands of Android users may have been victims of this app

ESET research confirms that iRecorder can record the sound surrounding the device and upload it to attackers’ servers every 15 minutes, but this is not the only thing. In addition, it is capable of downloading files with various extensions directly from your mobile phone. From saved web pages to images and even videos and various documents.

How did they get such a multifaceted malicious entity? Well, according to research, the behavior of this code is based on AhMyth RAT (Remote Access Trojan) specially designed for Android. In addition, the developers managed to customize their own version malwarecalling it AhRAT.

That is why giving the application access to the microphone or files on the device is not recommended, many people know. That’s why Android’s screen recording software was the perfect cover to not draw attention. Thus, once installed, developers can deploy malicious code without requiring additional permissions.

Once installed, the malicious application behaved like a standard application without any special requests for additional permissions that could reveal its malicious intent.

Lucas Stefanko

To address this issue, at least in part, Google is working on an update that will notify users on a monthly basis about which apps have changed their data sharing practices and on what dates they started doing so. Of course, as long as they are able to detect it.

Fortunately, Google has already removed iRecorder – Screen Recorder from your android app store. However, at the time of this, the specified application had already accumulated more than 50,000 downloadstherefore, the magnitude of this breach of security has important implications.

People who have never installed an app on their Android device have nothing to worry about. However, those who still have it installed on their device are advised to remove it immediately.