This legit Android app turned into mic-snooping malware – and Google missed it

File-stealing nasty in my Play store? Preposterous!!1

Google Play has been caught with its cybersecurity pants down yet again after a once-legit Android screen-and-audio recorder app was updated to include malicious code that listened in on device microphones.

Potentially tens of thousands of people downloaded the software before ESET researchers found the hidden malware and alerted Google, which pulled the app from its online store.

The application in question, iRecorder – Screen Recorder, was first published in 2021. It spent nearly a year in Google Play without a hint of nefarious behavior before an August 2022 update, we're told, added a secret remote-control backdoor.

The backdoor code was based on AhMyth, a piece of GitHub-hosted "not for malicious use" spyware that's been found in Play Store apps before.

The implementation of AhMyth in the updated Android app has been dubbed AhRat by ESET. We're told the software nasty recorded snippets of audio from an infected device's microphone. AhRat can also be instructed to exfiltrate files "with extensions representing web pages, images, audio, video, and document files, and file formats used for compressing multiple files," said ESET's Lukas Stefanko, who authored a 2019 report of two previous instances of AhMyth found in the Play store.

AhRat lacks many of the features of its parent malware, which Stefanko said indicates that it may be a lightweight variant designed to better hide itself inside a legitimate application. "These functionalities appeared to fit within the already defined app permissions model, which grants access to files on the device and permits recording of audio," Stefanko explained. 

"Upon installation of the malicious app, it behaved as a standard app without any special extra permission requests that might have revealed its malicious intentions," Stefanko added. 

ESET said it hasn't spotted AhMyth anywhere else in the wild, and that the app and all other items made by its mysterious developer were removed from the Google Play Store once reported. It's not clear precisely how long the malicious version of the recording app was available on Google Play nor how many people exactly were hit by it; ESET only said that the software had surpassed 50,000 downloads in Google's souk. 

Stefanko noted in the report that the recording app remains available on some alternative and unofficial Android app markets, and that the developer has published several other Android tools, none of which contain malicious code.

"It is possible that the app developer had intended to build up a user base before compromising their Android devices through an update or that a malicious actor introduced this change in the app; so far, we have no evidence for either of these hypotheses,' Stefanko noted. 

More like Google Play Infect

We've been down this malware-laden road with Google Play many times before, but this one is particularly egregious given the fact the malware that slipped through the cracks has (or its parent code has, at least) been found on Google Play already. By extension, one would think AhMyth indicators would be included in Google's scanning systems.

The on-device picture isn't much better for Google security.

In 2017, Google's Play Protect on-device anti malware platform scored dead last in tests of its ability to detect malware compared to third-party Android malware detection platforms. It's been a while since then, and Play Protect has climbed a few spots in more recent versions of the report that placed it there. It's still nowhere near the head of the pack, though, so ensure your Android device has multiple layers of protection. Or perhaps just avoid apps from unknown developers.

We reached out to Google to ask how it managed to miss the malicious update for nearly a year, and haven't heard back yet. ®

Send us news

T-Mobile US exposes some customer data – but don't call it a breach

PLUS: Trojan hidden in PoC; cyber insurance surge; pig butchering's new cuts; and the week's critical vulns

Google rebrands 'android' as 'Android' to remove any doubt about its affiliations

'Bugdroid' goes a bit 'Village People' to become 'as dynamic as Android itself'

Microsoft's Surface Duo phone hangs up, drops out of support

Remember Microsoft's first attempt at an Android foldable? Of course you don't

US Department of Justice claims Google bought its way to web search dominance

We're just better, says Big G

Google settles another Play Store antitrust case

Perhaps the Chocolate Factory didn't feel like staring down 36 state AGs with two other competition cases pending

Meatbag mishaps more menacing than malware? CISOs think so

Company boards, on the other hand, aren't letting cybersecurity disturb their sleep as much

Malware loader lowdown: The big 3 responsible for 80% of attacks so far this year

Top of the list to trip sensors

Maker of Chrome extension with 300,000+ users tells of constant pressure to sell out

Anyone with sizable audience in this surveillance economy is invited to stuff their add-ons with tracking and ads

Undiplomatic Chinese threat actor attacks embassies and foreign affairs departments

Sneaky HTML smuggling signals MustangPanda shift towards Europe, Checkpoint charges

Ex-FBI employee jailed for taking classified material home

Also: a PII harvest at Dole's server farm, military members mailed mystery smartwatches, and this week's critical vulns

To kill BlackLotus malware, patching is a good start, but...

...that alone 'could provide a false sense of security,' NSA warns in this handy free guide for orgs

At last, Microsoft lets Windows 11 share files with Android apps

Android and Microsoft sitting in a tree K-I-S-S-I-N-G! But not too much