It had been secretly recording users for months.
Keeping malware off people’s phones is always a difficult task. Whenever we see new security measures introduced, it’s only a matter of time before malware begins to bypass them. The Play Store is always working to remove malicious software, but Google’s efforts failed to stop a screen recording app from spying on its users after it received a malware update a year after its release.
The app in question, iRecorder Screen Recorder, first appeared on the Play Store in 2021 and offered users the ability to record content on their screen. More than a year later, the app received an update, which ESET’s investigation introduced malware that secretly records audio and transmits it to a remote server (by Ars Technica). The spyware has previously used code from AhMyth, a common open-source remote access trojan (RAT) that was secretly hidden on the Play Store, right under Google’s nose, on other apps.
Earlier versions of the app didn’t contain any malware, and the update that introduced the screen recorder may have gone unnoticed by the update. Perhaps the biggest trick it pulls is that the permissions the malware needs to do its nefarious business overlap with the permissions already granted to the app to perform its screen recording function.
The analysis here serves as a prime example of how a seemingly normal app can secretly become malware after an update. The researchers hypothesized that this tactic could be to build a user base before the malware was released, but noted that there was no evidence to support this.
With Android 14 in progress, Google is trying new ways to prevent malware from getting onto users’ phones. The first betas include new protection against apps that try to read people’s screens without permission. Although this does not necessarily stop such malware, it is still an important indicator that Google takes application security seriously.