This Popular Android App Has Been Spying On Its Users, Stealing Their Photos

An Android application available on the Google Play store allegedly spied on its users, a recent study found.

The application, screen recording app iRecorder - Screen Recorder, was first uploaded to the Play store on Sept. 19, 2021, and was downloaded more than 50,000 times. The app had generally been functioning normally for months and had no detected harmful features.

However, in its August 2022 update, a code within the app was changed that allowed bad actors to make secret audio recordings and make unauthorized transfers of images, videos, saved web pages and other files from the device, according to research conducted by Lukas Stefanko, a malware researcher with cybersecurity firm ESET.

ESET called the malicious code "AhRat," which is a customized version of an open-source remote access trojan "AhMyth." The malware can take advantage of the victim's device's broad access, including remote control, and can also function as spyware or stalkerware.

"AhMyth RAT is a potent tool, capable of various malicious functions, including exfiltrating call logs, contacts and text messages, obtaining a list of files on the device, tracking the device location, sending SMS messages, recording audio and taking pictures," the study said.

Users who downloaded the app before the August 2022 update might have been exposed if their app was updated manually or automatically. It's still unclear if an outside actor or the developer is responsible for the malware.

"The app's specific malicious behavior - exfiltrating microphone recordings and stealing files with specific extensions - tends to suggest that it is part of an espionage campaign," Stefanko wrote.

"However, we were not able to attribute the app to any particular malicious group," he added.

Stefanko also said it was "rare for a developer to upload a legitimate app, wait almost a year, then update it with malicious code."

"The AhRat research serves as a good example of how an initially legitimate application can transform into a malicious one, even after many months, spying on its users and compromising their privacy," Stefanko noted in the study.

Although Stefanko speculated that AhRat's malicious behavior might indicate that it was part of an "espionage campaign," no concrete evidence is available to support such a claim.

TechCrunch reported that the app has already been removed from the Play Store but warned users who still have the app on their devices to immediately uninstall it and clear its files.