The legal app iRecorder Screen Recorder, which has been installed by over 50,000 users, secretly recorded audio on Android devices and sent it to the app’s developer. This was reported by ESET researcher Lukas Stefanko, writes Ars Technica.

The app appeared on Google Play in September 2021 as a harmless app that allowed users to record the screens of their devices. Eleven months later, the app was updated and new functionality appeared.

It included the ability to remotely turn on the device’s microphone and record audio, connect to a server controlled by attackers, and download audio and other sensitive files stored on the device.

The spying functions were implemented using AhMyth code, an open-source Trojan (RAT). After the RAT was added to iRecorder, users of the app received updates that allowed their phones to record audio and send it to a server specified by the developer over an encrypted channel. The code taken from AhMyth has been heavily modified over time.

During the tests, Stefanko installed the app on the device and each time the app was instructed to record one minute of audio and send it to the attacker’s command and control server. In the future, the application will receive the same instruction every 15 minutes ad infinitum.

ESET does not rule out that iRecord is part of an active espionage campaign, but cannot yet determine whether this is the case.

“Unfortunately, we don’t have any evidence that the app was pushed to a particular group of people, and from the app description and further research (possible app distribution vector), it isn’t clear if a specific group of people was targeted or not,” Stefanko wrote.

As you know, malware embedded in applications available on Google servers is not something new. The company does not comment on cases of malware appearing on its platform, but thanks researchers for their discovery. Google removes malware as soon as it becomes aware of it.