The Android app iRecorder Screen Recorder, with 50,000 downloads on Google Play, has been recording user conversations without permission since August 2022, according to research published Tuesday by ESET security specialist Lukas Stefanko. According to his investigations, this app surreptitiously recorded the user's audio every 15 minutes and sent it to the app's developer.
“The application's specific malicious behavior, which involves extracting microphone recordings and stealing files with specific extensions, potentially indicates its involvement in an espionage campaign,” Stefanko notes on his blog.
In addition, it has also been able to “filter files with extensions that represent saved web pages, images, audio, video, and document files, and file formats used to compress various files, from the device.”
iRecorder hasn't always had this malicious behavior. According to the researchers, initially, the application had no harmful functions. It came out on Google Play in September 2021, offering a screen recording feature.
However, in August 2022, the app was updated to add completely new, as well as malicious, functionality. This included the ability to remotely turn on the device's microphone and record sound, connect to an attacker-controlled server, and upload audio and other sensitive files that were stored on the device.
That change has not ceased to surprise researchers: "What is quite rare is that the application received an update with malicious code several months after its launch."