Google Removes Android Screen Recording App Found Spying on Users With Remote Access Trojan

Google recently removed a trojan-infected Android app, that was installed on over 50,000 devices, from the Play Store. According to the security firm that detected the trojan, the app was first uploaded by the developer in 2021 and then infected with malicious code a year later. The app was also capable of extracting and uploading users' files by detecting extensions for audio, video, and web pages. While the app has been removed from the Play Store, users who downloaded it will have to manually remove the app from their devices.

According to a report published by ESET researchers, the iRecorder app was uploaded to the Play Store for the first time in September 2019, without any malicious functionality. Nearly a year later, the app was infected with the open-source AhMyth Android RAT (remote access trojan) in a variant that the researchers dubbed AhRat. Users who updated the app, or downloaded it for the first time since August 2022 would have the infected app on their device.

The iRecorder app had over 50,000 downloads on the Google Play store
Photo Credit: Screenshot/ ESET

While the initial version of the app did not have any malicious functionality, ESET states that it was later updated with code that allowed it to engage in malicious behaviour, including recording ambient sound and audio by utilising the phone's mic. These recordings could then be uploaded to the attacker's command-and-control (C&C) server. The app was also capable of extracting files with specific extensions, such as video, audio, images, web pages, documents, and compressed files.

ESET's researchers explain that the AhMyth RAT is a very powerful tool that can exfiltrate text messages, call logs, and contacts on a user's phone while recording audio, capturing images, tracking the device's location, and generating a list of all the files on the smartphone. 

The app's behaviour suggests that the AhRat trojan could be used as part of an espionage campaign, according to the researchers, who were unable to attribute it to any advanced persistent threat (APT) group. Meanwhile, ESET says that the original open-source AhMyth RAT was previously used by cyberespionage group APT36 — commonly known as Transparent Tribe — to target government and military organisations in South Asia. 

After ESET flagged the malicious code in the iRecorder app to Google, the app was removed from the Google Play store. The app has already been downloaded 50,000 times, according to the listing at the time of its removal. Users who installed or updated the application after it was infected will have to manually uninstall it in order to remove the infected app from their smartphones.