The popular Android screen recording software "iRecorder - Screen Recorder" was discovered to have malicious code that spied on its users, including the theft of microphone recordings and other data from their phones. The program presented the harmful code as an update over a year after it was launched on Google Play, according to cybersecurity company ESET.



The software was able to discreetly upload one minute of ambient audio from the device's microphone every 15 minutes, as well as retrieve documents, web pages, and media files from the user's phone, thanks to the code. Although the software has subsequently been withdrawn from Google Play, it had already received over 50,000 downloads. The harmful malware has been identified as AhRat, a modified variant of the remote access trojan AhMyth, which acts similarly to spyware and stalkerware.

Malicious Code Detected

Lukas Stefanko, an ESET security researcher, discovered the dangerous code in the iRecorder software. When the app was first released in September 2021, it had no dangerous features. However, the AhRat code was added with an app update distributed to current and new users, enabling the app to secretly access the user's microphone and transfer phone data to a server controlled by the malware's operator. Stefanko emphasized that the audio recording request was within the app's current permissions scheme since the program needed microphone access to capture screen recordings.

Motives and Espionage Campaign

The existence of malicious code in iRecorder indicates the presence of a larger espionage effort focused at gathering information on particular targets. Such efforts might be carried either by hackers acting on behalf of governments or by hackers motivated by financial gain. According to Stefanko, it is uncommon for a developer to publish a genuine program, wait a long time, and then update it with dangerous code. The motivation for planting the code, as well as the name of the attacker, are unknown at this moment.

App Store Security Procedures

While harmful programs are not uncommon in app stores, both Google and Apple have screening mechanisms in place to identify and prevent malware-infected apps from being advertised for download. These safeguards are intended to protect users from possible hazards. Google, in particular, has taken aggressive steps to prohibit nearly 1.4 million privacy-invading applications from being published on Google Play. However, incidents like as the admission of AhMyth in Google Play raise questions about the efficacy of these security mechanisms and the necessity for constant attention to maintain user safety.


The presence of harmful malware in the iRecorder - Screen Recorder app emphasizes the need of consumers exercising caution when installing programs, especially from respected sites like as Google Play. The inclusion of the AhRat code highlights the dangers of providing app permissions without fully comprehending their effects. While Google and Apple take precautions to reduce such dangers, consumers must also exercise vigilance and keep their devices up to date with the latest security updates. In an increasingly digital environment, being aware of possible security risks and implementing good cybersecurity behaviors may help preserve personal information and privacy.

Disclaimer: The material in this article is based on publicly accessible web sources and does not constitute an endorsement or particular recommendation. Before making any related choices, readers should undertake their own study and evaluation.



Post a Comment