It has been secretly recording users for months
Preventing malware from getting onto people’s phones has always been a difficult task. It seems like every time we see new security measures come in, it’s only a matter of time before malware starts getting past them. While the Play Store is always working to weed out malware, Google’s efforts couldn’t stop a single screen recorder app from spying on its users after it received a malware diversion update almost a year after its initial release.
The app in question, iRecorder Screen Recorder, debuted on the Play Store in 2021, and provided users with the ability to capture content on their screens. Just over a year after the app received an update, an ESET investigation revealed that it had introduced malware that would secretly record audio and forward it to a remote server (via Ars Technica). The spying tool used code from AhMyth, a popular open-source Remote Access Trojan (RAT) that was previously used in other apps that were similarly hidden in the Play Store under Google’s nose.
Previous versions of the app didn’t include any form of malware, and it’s possible that the update that introduced it to the screen recorder went unnoticed with an update. Perhaps the biggest trick it pulls is that the permissions the malware needs to do its mischief overlap with the permissions the app would have already granted in order to perform its screen recording function.
The analysis here is a prime example of how a seemingly normal app can stealthily become malware after an update. The researchers hypothesized that this tactic could have been building a user base before the malware was released, but notes that it has no evidence to prove any such thing.
With Android 14 on the horizon, Google is trying new ways to prevent malware from sneaking onto users’ phones. Early betas include new protections against apps that try to read people’s screens without consent. While this won’t necessarily stop malware like this, it’s still an important indication that Google takes app security seriously.