Popular Android App Secretly Records and Sends Mic Recordings

A seemingly legitimate Android app available on Google Play, with over 50,000 downloads, has been discovered to engage in malicious activity.

IRecorder Malware

According to cybersecurity firm ESET, the app, named iRecorder Screen Recorder, secretly records audio every 15 minutes and transmits it to the app developer (via ArsTechnica).

Initially, iRecorder Screen Recorder served as a benign app that allowed users to capture screen recordings on their Android devices. However, after 11 months, an update transformed the app into a covert audio spyware.

The new functionality enabled the app to remotely activate the device microphone, record sound, connect to a server controlled by attackers, and upload sensitive audio files.

ESET researcher Lukas Stefanko conducted thorough testing by repeatedly installing the app on devices in a controlled environment.

Each time, the app followed the same pattern: it received instructions to record one minute of audio and transmit it to the attacker’s command-and-control server, also known as a C&C or C2. Subsequently, the app would receive the same instruction every 15 minutes indefinitely.

Ahrat file exfiltration

Stefanko emphasized the persistence of the app’s malicious behavior:

“During my analysis, AhRat was actively capable of exfiltrating data and recording microphone. It happened constantly in my case, since it was conditional to commands that were received in the config file.

Config was received every 15 minutes, and record duration was set to 1 minute. During analysis, my device always received commands to record and send mic audio to C2. It occurred 3-4 times, then I stopped the malware.”

According to Stefanko, the first version of iRecorder to include the malicious functionality was 1.3.8, which became available in August 2022.

While malware disguised within apps on Google Play is not uncommon, the extent of this app’s malicious activity sets it apart. Stefanko believes the iRecorder might be part of an ongoing espionage campaign.

The iRecorder app has now been removed from Google Play.