Android, Malicious Android App

From Innocence to Deception: Once Safe Android App Unleashes Malware in Stealthy Update

Once Safe Android App Unleashes Malware in Stealthy Update

Once Safe Android App Unleashes Malware in Stealthy Update

A Google Play Store application underwent a transformation into spyware almost a year after its release.

Initially published in September 2021, the app called iRecorder — Screen Recorder was considered safe. However, in August, a malicious update to version 1.3.8 occurred, according to research by ESET, an antivirus provider.

“It is rare for a developer to upload a legitimate app, wait almost a year, and then update it with malicious code,” wrote ESET researcher Lukas Stefanko. 


The app’s original purpose was to help users record and edit screen captures on Android devices. However, the malicious update, known as “AhRat” by ESET, introduced the ability to steal files and secretly record audio.

“These functionalities appeared to fit within the already defined app permissions model, which grants access to files on the device and permits recording of audio,” Stefanko said. “Notably, the malicious app provided video-recording functionality, so it was expected to ask for permission to record audio and store it on the device.”

The malicious update did not trigger any special permission requests on Android phones since users had already granted permissions for the app’s existing screen-recording capabilities.

“During our analysis, AhRat received commands to exfiltrate files with extensions representing web pages, images, audio, video, and document files, and file formats used for compressing multiple files,” ESET added. 

The motive behind the app’s secret trojanization remains unclear. It could be that the app came from a legitimate developer whose account was hijacked by a hacker. It’s also possible that the developer intended to deliver the malicious update discreetly. However, ESET has not found evidence supporting either theory.

iRecorder — Screen Recorder gained over 50,000 installs on Google Play. Fortunately, Google has a safeguard in Android 11 and newer versions. It can put an app into a hibernation state if the user hasn’t interacted with it for a few months, effectively shutting down its functionalities.

Additionally, Google removed the app after ESET reported the findings. The developer page for the app, CoffeeHolic Dev, also seems to have been taken down. However, the iRecorder — Screen Recorder app is still available on third-party app stores.