This legit Android app turned into mic-snooping malware – and Google missed it

Google Play has been caught with its cybersecurity pants down yet again after a once-legit Android screen-and-audio recorder app was updated to include malicious code that listened in on device microphones.

Potentially tens of thousands of people downloaded the software before ESET researchers found the hidden malware and alerted Google, which pulled the app from its online store.

The application in question, iRecorder – Screen Recorder, was first published in 2021. It spent nearly a year in Google Play without a hint of nefarious behavior before an August 2022 update, we're told, added a secret remote-control backdoor.

The backdoor code was based on AhMyth, a piece of GitHub-hosted "not for malicious use" spyware that's been found in Play Store apps before.

The implementation of AhMyth in the updated Android app has been dubbed AhRat by ESET. We're told the software nasty recorded snippets of audio from an infected device's microphone. AhRat can also be instructed to exfiltrate files "with extensions representing web pages, images, audio, video, and document files, and file formats used for compressing multiple files," said ESET's Lukas Stefanko, who authored a 2019 report of two previous instances of AhMyth found in the Play store.

AhRat lacks many of the features of its parent malware, which Stefanko said indicates that it may be a lightweight variant designed to better hide itself inside a legitimate application. "These functionalities appeared to fit within the already defined app permissions model, which grants access to files on the device and permits recording of audio," Stefanko explained. 

"Upon installation of the malicious app, it behaved as a standard app without any special extra permission requests that might have revealed its malicious intentions," Stefanko added. 

• Millions of mobile phones come pre-infected with malware, say researchers
• iPhones hook up with Windows as Microsoft's Phone Link dials up Apple's iOS
• Upstart encryption app walks back privacy claims, pulls from stores after probe
• Spyware slinger QuaDream's reported demise may be the canary in the coal mine

ESET said it hasn't spotted AhMyth anywhere else in the wild, and that the app and all other items made by its mysterious developer were removed from the Google Play Store once reported. It's not clear precisely how long the malicious version of the recording app was available on Google Play nor how many people exactly were hit by it; ESET only said that the software had surpassed 50,000 downloads in Google's souk. 

Stefanko noted in the report that the recording app remains available on some alternative and unofficial Android app markets, and that the developer has published several other Android tools, none of which contain malicious code.

"It is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses,' Stefanko noted. 

More like Google Play Infect

We've been down this malware-laden road with Google Play many times before, but this one is particularly egregious given the fact the malware that slipped through the cracks has (or its parent code has, at least) been found on Google Play already. By extension, one would think AhMyth indicators would be included in Google's scanning systems.

The on-device picture isn't much better for Google security.

In 2017, Google's Play Protect on-device anti malware platform scored dead last in tests of its ability to detect malware compared to third-party Android malware detection platforms. It's been a while since then, and Play Protect has climbed a few spots in more recent versions of the report that placed it there. It's still nowhere near the head of the pack, though, so ensure your Android device has multiple layers of protection. Or perhaps just avoid apps from unknown developers.

We reached out to Google to ask how it managed to miss the malicious update for nearly a year, and haven't heard back yet. ®