The security researcher Lukas Stefanko from ESET has revealed a very particular case of Google Play malware: a screen recording application that a year later began to spy on its users. Recorded the audio from the mobile microphone every 15 minutes and sent them to his servants.
The application achieved just over 50,000 downloads and the curious thing is that for almost a year he behaved legitimately, without malware, until you received the update that included the malicious code inside. The application, called iRecorder, is no longer on Google Play, although its APK continues to be distributed on various third-party application pages.
From recording the screen to spying on users
It is common for malicious applications to initially hide their intentions in order to evade detection by Google’s automated systems and potential manual analysis of new applications, which are always more susceptible to malware than updates. What is not so common is that the trojan takes so long to deploy: almost a year.
That’s just what happened with iRecorder, a screen recording app for Android from the developer Coffeeholic Dev. The app was launched in September 2021, but it would not be until August 2022 when the update to version 1.3.8 officially made it a trojan. Later, the app continued to be updated, its last version available, before it disappeared from the store, being version 2.0.
As a Trojan, iRecorder recorded microphone audio every 15 minutes and sent it to its servers, taking advantage of the fact that, due to its screen recording functionality, it would have permission to access the microphone beforehand. The included malware was based on AhMyth’s open source remote access code, available on Github.
Since Android 11, the operating system can Automatically revoke app permissions that you don’t use often, which should prevent the app from spying on people who haven’t opened it recently, but it’s hardly a solution for apps that have a reason to use sensitive permissions and then abuse them. them to use for other purposes.

Automatic revocation of permissions from Android 11 onwards
It is somewhat strange that a malware application opts for this type of espionage indiscriminately, so it is suspected that it was being used to spy on a specific group of people, although no evidence has been found of who or confirmation that this is the case. Of all the possible functionalities of the Trojan on which it is based, such as spying on location, files or SMS, only audio recording was initially implemented.
The good news is that the app is no longer available on Google Play, although it leaves a bitter taste in our mouths that it achieved several tens of thousands of downloads, was available on Google Play for months with malware inside it, and shows us that any application that is reliable today could not be tomorrowbypassing Google’s detection systems.
Image | GraphicMama-team in Pixabay
Via | The Verge
In Xataka Android | Android Auto Coolwalk can also be a nightmare: here’s what you can do to remove it