Delete this app from your phone

ESET discovered that « Irecorder – Screen Recorder », which was launched in September 2021 without harmful features, introduced a malicious code named Ahrat in an update almost a year later.

Ahrat is a modified version of the open source code Remote Access Trojan (Rat) called Ahmyth, which provides full access to the victim’s device and acts as spyware and stalkerware. It writes the media Techcrunch.

According to ESET, this code could allow the app to upload a minute’s surrounding sound from the phone’s microphone every 15 minutes as well as transfer documents, web pages and media material from the user’s phone.

« As the app is in nature designed to record screen recordings, the audio recording fit within the app’s already defined permission model, » explained Lukas Stefanko, security researcher at ESET.

The app is no longer available in Google Play, but if you have already installed it, you are encouraged to delete it from your device. At the time the harmful app was removed from the app store, it already had over 50,000 downloads.

According to Stefanko, the harmful code is probably part of a larger espionage campaign where hackers collect information about selected goals, sometimes on behalf of governments or for financial reasons. He noticed that it is rare to see a developer upload a legitimate app, wait almost a year, and then update it with harmful code.

Despite the efforts of both Google and Apple to screen apps for malware before being listed for download, harmful apps can sometimes sneak in. Google has previously prevented over 1.4 million privacy -violating apps from reaching Google Play. Who planted the harmful code in the Irecorder app and the reason for this is not yet known.