An Android recording app called iRecorder Screen Recorder started out as an innocent screen recording app but turned evil nearly a year after it was first released, as detailed in Ars Technica. The app first appeared in September 2021, but after an update the following August, it began recording a minute of audio every 15 minutes and transmitting the recordings, via an encrypted link, to developer server. The whole thing is documented in a blog post from Essential Security against Evolving Threats (ESET) researcher Lukas Stefanko.
In the post, Stefanko said the app was updated in August 2022 to include malicious code “based on the open-source AhMyth Android RAT (remote access trojan).” The app had 50,000 downloads at the time it was reported and was removed from the Play store. Stefanko added that apps with AhMyth embedded in them have gone through Google’s filters before.
Scam apps are not new to the Apple or Google app stores. Recorder apps can be pretty nasty, sometimes with predatory subscription prices and fake reviews to boost their visibility on the platforms. And Stefanko’s blog post highlights a particularly sticky problem: apps turn to the dark side after you’ve had them for a while, using the permissions you initially gave them to collect sensitive information. from your device and send it to the developer for bad activities.
This particular app is no longer available, but what’s to stop another sleep agent from activating your phone? Google is at least working on updates that will tell you via monthly notification where, and when, apps change their data sharing practices — if known, that is.