(NEXSTAR) – A screen recording app available in the Google Play store that was installed over 50,000 times functioned normally for months before it started spying on users, researchers say.
The app, iRecorder – Screen Recorder, was first uploaded to the Google Play store on September 19, 2021, according to Lukas Stefanko, a malware researcher with cybersecurity firm ESET.
Stefanko said that the app had no harmful features until a later update changed the code, likely in August 2022. After that date, malicious code allowed bad actors to make secret audio recordings and secretly transfer images, videos, saved web pages, and other files off of devices, according to ESET.
Anyone who had downloaded the app before August 2022, might still have been exposed if they updated the app manually or automatically. It’s not yet clear if the developer or another actor is responsible for the update that converted the app into a Trojan horse.
“The app’s specific malicious behavior – exfiltrating microphone recordings and stealing files with specific extensions – tends to suggest that it is part of an espionage campaign,” Stefanko wrote. “However, we were not able to attribute the app to any particular malicious group.”
While it’s not unheard of for an app to have harmful features, Stefanko wrote that is rare for an app to function legitimately for months before targeting the private data of Android owners.
A Google spokesperson gave the following statement to Nexstar:
“When we find apps that violate our policies, we take appropriate action. Devices running Android 11 and above have protections that limit app access to device location, camera, or microphone. Google Play Protect also protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources.”