The Rapid Transformation of Android Malware from Helpful App to Spyware in Just One Year

Android Malware: From Useful Tool to Spyware in a Year

IT security researchers at Eset have discovered a new trojanized app with over 50,000 installations. The app in question, iRecorder – Screen Recorder, initially contained no malicious functions before it was discontinued by Google Play Store in September 2021. However, in August 2022, Eset’s analysis revealed that the app had been equipped with malicious code, including the ability to record microphone conversations and steal files with particular file extensions, which points to a spying campaign.

While Google has since removed the app from Google Play, it may still be available in other app stores and .apk download archives, posing a significant risk to Android users. The later spyware iRecorder actually offered legitimate core functions, such as recording audio and video files. However, from August 2022, the programmers added malicious functions allowing them to extract stored websites, images, audio, and video files, documents, and compressed archive formats and upload them to a command and control server (C&C).

Eset was unable to identify which cybercriminal organization was behind the malware. The app is called iRecorder – Screen Recorder and comes from the developer Coffeeholic Dev. The reviews were very positive, the app got 4.2 stars, and it had more than 50,000 downloads in March. The retrofitted malicious functions came from the open-source remote access toolkit (RAT) AhMyth.

The programmers only took a few functions from the AhMyth RAT that match the rights that the app had requested anyway, such as recording sound, as well as accessing photos, media, and files on the device. As a result, the recording of conversations with the microphone appeared to be legitimate. The malicious code contacted the C&C server every 15 minutes to download a new configuration file containing the commands and configuration information.

While the app has been removed from Google Play, it is advised that users from other sources check whether they have installed the malware, specifically those with packages named It’s essential to delete any unauthorized and suspicious apps to protect against future threats. The discovery of iRecorder has raised concerns over the increasing number of malware infections in the Google Play Store—suggesting that users must be more vigilant when downloading apps to their devices.

Leave a Reply