The Android app iRecorder Screen Recorder, which started as an innocent screen recording app, reportedly began recording one minute of audio every 15 minutes and transmitting these recordings via an encrypted link to the developer’s server.
The app was initially released in September 2021, but it was about a year later that it began recording without users’ awareness. The entire incident is documented in a blog post by Lukas Stefanko, a researcher from Essential Security against Evolving Threats.
In the blog post, Stefanko reveals that the app was updated in August 2022 with malicious code “based on the open-source AhMyth Android RAT (remote access trojan).” At the time of its reporting and removal from the Play Store, the app had garnered 50,000 downloads. Apps embedded with AhMyth were also said to have bypassed Google’s filters in the past.