this screen recorder app secretly records audio every 15 minutes
A screen recorder app with more than 50,000 downloads in Google Play turned from a normal recorder app to a malicious app in a year. It turned out that the app secretly recorded nearby audio every 15 minutes and then sent those recordings to the app developer.
Contents
Secret recording every 15 minutes
A recorder app called iRecorder Screen Recorder started out as a harmless app, but turned malicious almost a year after its initial release. Ars Technica reports this. The app was first released in September 2021, but after an August update, it started recording a minute of audio every 15 minutes and forwarding those recordings to the developer’s server via an encrypted link. The whole story is documented in a blog post by Lukas Stefanko, a researcher at Essential Security against Evolving Threats (ESET).
In his lab, Stefanko repeatedly installed the app on phones, and each time the result was the same: the app received an instruction to record one minute of audio and send it to the attacker’s command-and-control server, in security circles, too. known as a C&C or C2. The app then received the same instruction every 15 minutes and that for an indefinite period of time.
Related articles
AhMyth
Stefanko said in his report that the app was updated in August 2022 with malicious code, “based on the open-source AhMyth Android RAT (remote access trojan)”. At the time of reporting and removal from the Play Store, the app already had 50,000 downloads. Stefanko added that apps with AhMyth hidden in them had also managed to get past Google’s filters before.
Unfortunately, scam apps targeting various sensitive user data are nothing new in both the Apple and Google app stores. Malicious screen recorders try to increase their visibility in Google Play with fake ratings in order to get more downloads. And Stefanko’s report highlights another particularly tricky problem: apps that end up on the dark side after you’ve had them on your phone for a while. Those apps then use previously granted permissions to collect sensitive information from your device and forward it to the developer for malicious activity.
Related articles
Espionage purposes?
According to Stefanko, it is possible that iRecord is part of an active espionage group, but so far he has not been able to find any evidence for this. “Unfortunately, we have no evidence that the app was sent to a specific group of people, and based on the app description and further investigation, it is not clear whether a specific group of people was targeted,” he wrote. “It seems very unusual, but we have no evidence to the contrary.”
This particular app has disappeared from the Play Store, but many people will still have this app on their phone. It is therefore recommended to remove it. Fortunately, Google is working on monthly notifications that inform you about apps that have changed their app’s data sharing. Unfortunately, these notifications are part of Android 14, which is an Android version that is currently being tested.
Notification that appears when an app changes its data sharing policy
