Rogue screen recorder app found spying on Android users: How to safeguard yourself

A screen recorder app on Google Play Store went rogue almost a year after its launch. Here's what the app does and how you can protect yourself.


  • Google has removed iRecorder – Screen Recorder app from Play Store.
  • This app was downloaded 50,000 times before being removed.
  • This app was found to be spying on Android users.
minecraft android

Google, over the years, has strengthened its defenses and put in place strong guardrails for protecting its Android ecosystem from malware and other malicious apps and programs. Despite its best efforts, a harmful app often manages to slide past its defenses and get to the unsuspecting users. In another such incident, security researchers have found out that an Android app went rogue almost a year after its rollout via Google’s Play Store. Also Read - Ex-Google CEO says AI represents existential risk that could kill humans

According to security researchers at ESET (via The Verge), an Android app dubbed as the ‘iRecorder – Screen Recorder’ started collecting user data without their explicit permission almost a year after it was launched on the Play Store without hiding any malicious code. The researchers say that the app arrived on the Play Store on September 19, 2021. Almost a year later in August 2022, the developers of the app rolled out version 1.3.8 of the app, following which the malicious behaviour started. Also Read - YouTube Music may soon get a new Samples tab: Here's what it does

What does the app do?

The researchers says that apart from providing legitimate screen recording functionality, the malicious iRecorder app can record surrounding audio from a phone’s microphone and upload it to the attacker’s command and control (C&C) server. It can also upload files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device. Also Read - Google, European Union to create voluntary AI pact ahead of new regulations in Europe

“The app’s specific malicious behavior – exfiltrating microphone recordings and stealing files with specific extensions – tends to suggest that it is part of an espionage campaign. However, we were not able to attribute the app to any particular malicious group,” the researchers wrote in a blog post.

Image: ESET

But what about the malicious behaviour?

As mentioned before, the app didn’t contain any malicious code when it was launched. Almost a year after its roll out, the developers injected a malicious code in the app, which when things went wrong. The malicious code that was added to the app was based on the open-source AhMyth Android RAT (remote access trojan) that was customised into what the researchers termed as AhRat.

The original trojan, AhMyth RAT, is capable of exfiltrating call logs, contacts, and text messages, obtaining a list of files on the device, tracking the device location, sending SMS messages, recording audio, and taking pictures. By extension, AhRat also came with similar capabilities.

The researchers claim that all these permissions for an app would have raised suspicion. However, they are fit for any screen recording app. So, when the developers installed malicious code in the app, it required no extra permission.

“Upon installation of the malicious app, it behaved as a standard app without any special extra permission requests that might have revealed its malicious intentions,” the researchers added.

If all that wasn’t enough to scare you, there’s more. The researchers said that the AhRat trojan pings the C&C server every 15 minutes requesting a new configuration file. Simply put, the malicious app pings users’ personal information to the developers every 15 minutes.

Upon analysis, researchers found that the trojan was sending files representing web pages, images, audio, video, and document files, and file formats used for compressing multiple files, including — zip, rar, jpg, jpeg, jpe, jif, jfif, jfi, png, mp3, mp4, mkv, 3gp, m4v, mov, avi, gif, webp, tiff, tif, heif, heic, bmp, dib, svg, ai, eps, pdf, doc, docx, html, htm, odt, pdf, xls, xlsx, ods, ppt, pptx, and txt, to its developers — which is a lot of information.

What is Google doing about it?

ESET researchers flagged the app’s malicious behaviour to Google, following which it removed the app from the Play Store. However, by the time, the app had already been downloaded 50,000 times.

How can I protect myself?

If you haven’t downloaded this app, there is nothing to worry about. However, if you have downloaded this app, it is advisable that you uninstall and remove it from your smartphone now.

  • Published Date: May 25, 2023 5:56 PM IST
For the latest tech news across the world, latest PC and Mobile games, tips & tricks, top-notch gadget reviews of most exciting releases follow Techlusive India’s Facebook, Twitter, subscribe our YouTube Channel. Also follow us on  Facebook Messenger for latest updates.