Imagine loading an app on your Android phone from the Google Play Store that started life out as a legitimate app but soon was able to remotely turn on your phone’s microphone and record sound, connect to a remote server, and upload the audio files it collected, and more. According to
Lukas Stefankoa researcher with cybersecurity firm ESET (via
Ars Technica), this is the true story of an app named iRecorder Screen Recorder which garnered over 50,000 installs from the Play Store.
The app debuted in the Google Play Store in September 2021 and when version 1.3.8 was released in August 2022, it added some malicious features. Keep in mind that these features weren’t added to the app for nearly a year after iRecorder initially appeared in the Play Store. The update allowed the app to remotely turn out the microphone of the Android phone that had the app installed, record audio, connect to a server linked to the attacker, and upload the audio files and other sensitive files that were being kept on the phone.
When researcher Stefanko installed the app, it would receive an instruction to record audio for one minute and send it to the attacker’s command-and-control (C&C) server. The app received these instructions every 15 minutes. Stefanko said that it is possible that the malicious actions of the updated iRecord app is part of an active espionage campaign but isn’t sure if that is the case.
Nearly a year after debuting in the Play Store, an update had this app recording your conversations and sending them to a remote server
Stefanko writes, “Unfortunately, we don’t have any evidence that the app was pushed to a particular group of people, and from the app description and further research (possible app distribution vector), it isn’t clear if a specific group of people was targeted or not. It seems very unusual, but we don’t have evidence to say otherwise.”
The developer linked to the app in the Google Play Store is “Coffeeholic Dev,” and Google not only removed iRecorder Screen Recorder from the Play Store, but it also removed other Google Play Store apps created by the developer.
Just recall that just because Google has removed an app from the Play Store, it doesn’t mean that the app has been removed from your phone if you installed iRecorder or any other app created by Coffeeholic Dev before they were pulled. If you find iRecorder or any app created by Coffeeholic Dev on your phone, make sure to uninstall it from your handset immediately.
